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DEADLOCK-FREE SHARING OF RESOURCES 
IN ASYNCHRONOUS SYSTEMS* 

Abstract 



Whenever resources are shared among several activities that hoard 
resources, the activities can attain a state of deadlock in which, for 
lack of resources, none of the activities can proceed. Deadlocks can 
be prevented by coordination of the sharing. Efficient running of the 
activities under such coordination requires knowledge of the patterns 
of use of resources by the activities. 

This thesis presents a study of deadlock prevention in systems in 
which a knowledge of the usage of resources by the activities during 
several phases of steady resource usage is available. A representation 
called a demand graph is presented and used for the study of deadlocks. 
The model is a general one and encompasses systems in which the activi- 
ties themselves consist of more than one sequence of phases and are not 
necessarily independent of each other. The analysis is applicable to 
computer systems as well as systems in the realm of operations research. 



*This report reproduces a thesis os the same title submitted to the 
Department of Electrical Engineering, Massachusetts Institute of 
Technology, in partial fulfillment of the requirements for the degree 
of Doctor of Science, September 1970. 
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Introduction 



Chapter ] 



§1.1 Deadlocks 

As this thesis deals with deadlocks and their prevention, it is 
necessary for the reader to appreciate the nature of deadlocks. Three 
examples are presented below, with the aim of introducing the concept 
of deadlock to the reader. 

The first example concerns a canal with locks and two drawbridges 
on it. The drawbridges lie on a road, as shown in Figure 1.1, which has 
been laid so as to avoid a marsh and crosses the canal twice. Both the 
canal and the road carry traffic in one direction only. The principal 
traffic on the canal consists of barges. As a barge approaches Bridge A, 
a warning is sounded when the barge is 100 metres from the bridge and, 
when the bridge is free of cars, it is drawn. The bridge stays drawn 
until the tail end of the barge has passed the bridge. A similar disci- 
pline is followed for Bridge B. 

The system works very well until a rather long barge comes in on 
a day when traffic is heavy. Then it can happen that Bridge A is 
drawn and a queue of cars begins to build up that extends well past 
Bridge B. Then the barge reaches Bridge B while its tail end is still 
under Bridge A. But Bridge B cannot be drawn because there are cars on 
it! The cars on Bridge B cannot move ahead until Bridge A is lowered and 
that cannot be done until the barge has moved ahead, which in turn cannot 
be done until the cars on Bridge B move on! A deadlock has thus occurred 
because neither the cars nor the barge can back up. The deadlock will 
persist indefinitely. 
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The deadlock above occurred because of improper planning of the use 
of the bridges by cars and barges. If the warning for Bridge B had been 
issued at the same time that it was issued for Bridge A, the deadlock 
would not have occurred. This is not just a matter of hindsight; rather, 
it indicates that deadlocks cannot be prevented without a priori know- 
ledge of the use of shared resources (in this case the bridge). It will 
be noted that a stochastic model is useless in this case; knowing that the 
probabilities of there being very heavy traffic when a barge crosses the 
section of the canal between Bridges A and B, and that a barge is long 
enough to cause trouble, are each 0.07, with a consequent 0.995 probability 
(assuming independence of the two events) of successful operation, is of 
little comfort. Deadlocks, when they are catastrophic in their conse- 
quences, must be prevented. 

The second example concerns a maintenance hangar for aeroplanes. 
The planes that come in for servicing represent tasks for the workshop. 
Planes coming in for servicing are put onto stands for service. It is not 
known, when a plane comes in, how much work needs to be done on it and, 
therefore, how long it will take to overhaul the plane. When a plane is 
taken in, the bottom of the plane is opened up on the stand and various 
kinds of jigs are inserted for the overhauling. If planes are taken in 
whenever a stand is empty, it is possible to reach a condition in which the 
jigs are all used up and yet each plane needs more jigs before its over- 
hauling is complete and jigs are released. (It is assumed that jigs can- 
not be pulled off incompletely serviced planes as they also perform the 
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structural function that parts that have been removed perform.) Once more 
deadlock is possible. The point being emphasized here is that the 
scheduling of work for the hangar is not analogous to that of scheduling 
work for an assembly shop. The servicing of planes is asynchronous, in 
the sense that the times for processing of planes are not the same. 
Thus the principal interest is not in picking a schedule that minimizes the 
average processing time but rather in letting the processing of jobs which 
are accepted proceed at their own pace, subject to the avoidance of dead- 
lock. In this respect, the systems considered in this thesis differ fun- 
damentally from the systems analyzed in the field of Project Scheduling 
as typified by [1]. Another fundamental difference is that resources 
(here, jigs) are not always returned between two overhauling operations, 
i.e., it is not true that at the end of an operation, all the resources 
required for its execution become available for general use. This reten- 
tion of resources is a sine qua non for the occurrence of deadlocks and 
its absence in Job Shop Systems is probably why, to the best of the 
author's knowledge, it has not been studied in the field of Job Shop 
Scheduling. Job Shop Scheduling will be taken up later, in greater de- 
tail, at the end of Chapter 3. 

The third example relates to computer systems with a one- level mem- 
ory and multiprocessing. Here core memory is shared and processes can be- 
come deadlocked for lack of free core. Processes cannot be deprived of 
memory already allocated, as this implies nullification of any partial 
computation already performed. The penalty for de-allocation is thus 
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the expenditure of time and computational effort to recompute, and this 
can be substantial. This example brings out the large cost that undoing 
the consequences of deadlock can imply, if at all this is possible. That 
deadlocks could be resolved in this example is not unusual. Deadlocks 
can almost always be resolved by preemption. Even in the first example 
the deadlock can be broken at the cost of the destruction of the cars on 
Bridge B. The resolution of deadlocks is no solution at all precisely be- 
cause the price paid is too high to ignore the possibility of the preven- 
tion of deadlocks. 

The problem of prevention of deadlocks has been approached recently 
with a view to seeking elegant solutions. Some of the earlier work is 
described below. 

§1.2 Past Work 

The best known past work in this field is that of Habermann [2,3] 
who extended the somewhat more specialized analysis that was given by 
Dijkstra in [4]. Habermann's analysis is summarized in the next paragraph 
and the one following it. However, both assume the availability of some 
information about the amounts of resource that will be needed by the dif- 
ferent tasks in the system. Havender, in [5], treats a somewhat more 
specialized case of resource usage. The work of Habermann is the most 
elaborate of the three and also provides the basis and some of the termin- 
ology of this thesis. 
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Habermann considers sequential processes, i.e. tasks, (say m of 
them) sharing several (say n) types of resource. All the units of re- 
source of any one type are equally useful. Each process is required to 
state the maximum amount of resource of each type that it will need — m. . 
for process i and resource-type j. The processes are free to acquire and 
release resources as they please, subject to these maxima. The analysis 
assumes that the various maximum amounts, m. ., for a process may be needed 
simultaneously, and thus there is a maximum demand vector for each process, 
m. for process i, whose n components are the maximum demands for each of 
the resource types. Allocation of resources is done on the basis of ac- 
tual requests for additional resource from processes and so as to prevent 
the occurrence of deadlock. At any instant, each process has been allotted a 
certain quantity of each kind of resource so that there is a vector of al- 
locations to the process. Allocation vectors are represented by a. 
(for the i process). The combined status of the processes at any time 
is thus represented by the allocation state, (a., a„, ... a ), whose com- 
ponents are the m vectors of allocation for the m processes. An allo- 
cation state is said to be safe if there is some sequence in which the 
needs of each process can be met, one at a time, so that all the processes 
can terminate. Each process is assumed to terminate within a finite amount 
of time once its needs have been satisfied fully. Habermann has shown that 
the definition of safeness can be restated as a test for the safeness of 
an allocation state, viz that there should exist a sequence, i.. , i„, ... i 
of the m processes so that the allocation vectors and the unused resources 
vector, R, satisfy the set of inequalities: 
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m. - a. ^ R + a. 
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m. -a. ^ R + a. + a. + . . . a . 
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Habermann has shown that deadlock can be avoided if the allocation state 
is safe but not otherwise. It can be seen easily that the inequalities 
above can be rearranged in a canonical order so that the left hand sides 
are non-decreasing. Thus the unused resources, R, at any time need only 
be as large as the smallest of the unsatisfied resource needs of the 
users at that time! (Clearly then the amount of unused resources need 
never exceed the smallest of the maximum demands, m. . ) 

In contrast to the good utilization of resources that is found 
above, when no information about resource usage is available at all, the 
processes can only be run sequentially. The greater information available 
in the former case is what permits more efficient utilization of resources, 
This is what suggests that systems capable of handling more detailed in- 
formation about resource usage should be of interest, as even better util- 
ization of resources may be possible. This thesis is an attempt to study 
how this more detailed information can be used to advantage. 

Shoshani has worked on an extension of Habermann 's analysis using 
an algebraic model [6] . His results are similar to, though somewhat less 
general than, some of the results obtained independently by the author 
and reported here. In [7] he discusses the problem of recovery from 
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deadlocks with minimum cost and presents an elegant solution. 



} 1.3 The Problem 



The systems dealt with in this thesis consist of a number of 
processes, i.e., unified sequences of activities. The processes are asyn- 
chronous, i.e., temporal relationships between the activities of two 
processes based on a single time axis are meaningless. The processes 
share several kinds of resource from a pool. The various combinations 
of resources needed during the activity of each process are assumed to be 
known . The processes do not have to be sequential in activity or indepen- 
dent of each other . The problem treated of is that of allocating re- 
sources in such a system in a manner that prevents the occurrence of dead- 
lock and optimizes utilization of the resources. The choice of an appro- 
priate model is important for the analysis of deadlock and a graphical one 
has been chosen for this purpose. 

As before, an example is presented here which, it is hoped, will 
prove useful in gaining the proper perspective. The example will be re- 
ferred to as "the construction analogue" later on, as it deals with the 
building construction industry and as the principal context for the treat- 
ment of deadlock prevention will be that of computer systems. 

The construction analogue concerns a construction equipment rental 
company. Several contractors rent equipment from this company, the only 

+ These are the two areas in which Habermann's analysis is extended here. 
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one in the neighborhood, to build buildings which they sell when completed. 
From the point of view of the company, each contractor is a process which 
it serves. Each contractor knows the phases that his work will go through, 
such as foundation building, wall erection, and so on, and the amounts of 
each kind of equipment that he needs in each phase. He knows that when he 
needs bulldozers he does not need scaffolding, and so on, so that the max- 
imum needs for each kind of resource (equipment) do not, in general, oc- 
cur simultaneously. He does not know exactly how long each phase will 
last, because of uncertainties of weather, material supply and availability 
of labor. Moreover, these uncertainties are different for different con- 
tractors and so the different processes in the system are asynchronous. 
Each contractor gives the company a description of resource needs in 
phases and expects, in turn, to be rented equipment on a first-come-first- 
served basis but without ever being deadlocked in conjunction with other 
contractors. He will return equipment when he does not need it, but not 
under any other circumstances; for he works in competition with other con- 
tractors. Several contractors may undertake joint projects, so that their 
activities are not necessarily independent. Moreover, a single contractor 
may undertake several projects which can proceed independently of each 
other or interact at arbitrary points in their activity. Also, a phase 
in a contractor's activity, or a set of phases for that matter, may be 
capable of execution with more than one alternative combinations of equip- 
ment. Contractors are free to undertake new projects upon completion of 
others and new contractors can enter the system. The problem that the 
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company faces is that of maximizing its income from the rental of the 

equipment, while satisfying all its clients. 

In terms of computer systems, computations correspond to the con- 
tractors. New computations enter the system when they are created by the 
principals (users) of the system. The computations need not be sequential. 
The resources shared are active memory, arithmetic units, input output 
devices, etc. There is considerable latitude in the detail to which the 
analysis may be extended -- thus specialized functional units inside the 
arithmetic unit, for instance, can also be considered resources if it is 
so desired. The active memory is considered to consist of one level and 
space in it is allocated to processes dynamically. As the memory has only 
one level, it is not possible to free space in active memory by pre- 
emption without destroying information. When the memory does consist of 
several levels, deadlock cannot occur on account of memory. For free 
space can be created by moving information to a lower level; however, the 
large time delays in such movement of information that are encountered in 
practice emphasize the need for prevention of deadlocks, as does the pos- 
sibility of thrashing. The inability to preempt resources is more evident 
in the case of input output devices such as tape-drives, plotters and 
graphic output devices . 

It is not proposed that a user or programmer supply the information 
about resource needs; rather, it is assumed that a pre-processor of some 
sort, perhaps a compiler, provides the information. It is not a fanciful 
idea to expect that such information can be extracted from programs. It 
is already known how to get upper bounds on core usage of non-recursive 
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programs, if only conservative estimates. It is not necessary to extract 
further detailed information from a program although, if such information 
can be obtained, it can be used. It is merely required of the principal 
that he state which procedures are used, and in what sequence, in the defi- 
nition of the computation. Thus, rather than determining the largest of 
the memory requirements of the individual procedures making up the com- 
putation and stating just that, the entire information consisting of the 
sequence of procedure calls and the memory requirements of each procedure 
can be made available. 

An important restriction that is placed on programs to which the 
study undertaken in this thesis applies is that they not contain unre- 
stricted recursion; for it is impossible to guarantee that deadlocks will 
be prevented if the demands of a process can increase beyond bound. 

§1.4 Plan of the Thesis 



Chapter 2 introduces the demand graph as the model to be used to 
represent the systems of interest. Specialized demand graphs of systems 
with sequential processes and a single type of resource are analyzed here, 
A non-enumerative algorithm is presented for determination of safeness, 
a concept related to deadlock avoidance, in this chapter. 

Chapter 3 extends the analysis of Chapter 2 to systems with more 
than one type of resource. The concepts of limited-backtracking and 
linearity are introduced and it is shown that linear algorithms for 
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determination of safeness do not exist. The algorithm of Chapter 2 is 
also extended. 

Chapter 4 introduces interactions between processes into the pic- 
ture. The analysis of Chapter 3 is extended to this case. 

An initial attempt at the handling of decisions, loops and alter- 
native ways of satisfying the resource requirements of a process is made 
in Chapter 5. 

Chapter 6 presents some concluding thoughts, and the appendix 
describes some properties of demand graphs deduced by the use of the 
theory of linear inequalities. 
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§2.1 Problems of the Use of Continuous Time 

It was pointed out in Chapter 1 that the systems of processes 
being investigated in this thesis are those in which information about 
the usage of resources during the activity of each process is available. 
A natural way to think about such information is as graphs of resource 
usage with time. Figure 2.1 illustrates such graphs for two processes 
which share one kind of resource. Unfortunately, such graphs use time 
axes which are meaningful only for the respective processes; for the 
processes are asynchronous and so no temporal relationships between the 
activities of two processes that are based on a single time axis can be 
defined. The graphs are thus incomparable. However, from the point of 
view of resource allocation, only the epochs corresponding to changes in 
resource usage are of interest — the length of time, on any axis, be- 
tween such epochs is irrelevant. Thus, only these epochs need to be rep- 
resented in an abstract model for the study of deadlocks and resource al- 
location. The next section describes such a representation, viz the 
demand graph. The concept of a demand graph was inspired by Holt's work 
[8] on the representation of events and by the realization that 
it is the class of events, which correspond to changes in resource usage, 
that is of interest in the study of deadlocks. 
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§2.2 Demand Graphs 

A demand graph is a finite directed graph with arcs and nodes; 
the nodes are called transitions . Associated with each arc is a quantity 
called a demand , chosen from a set A. A quantity called the capacity , 

which is represented by C and also chosen from the set A, is associated 

t 
with the demand graph. The set A is ordered (partially or totally ) 

and the demands associated with the arcs of a demand graph are always 
less than or equal to the capacity associated with the demand graph. 
Demand graphs are generally dis-connected. In any case, every compo- 
nent of a demand graph must contain at least one node that has in- 
degree zero and one node that has out-degree zero. 

The study of demand graphs in this thesis will proceed from a re- 
stricted class of demand graphs, called Rectilinear Scalar Demand Graphs 
and studied in this chapter, to progressively less restricted classes. 

§2.3 Rectilinear Scalar Demand Graphs 

Rectilinear Scalar Demand Graphs, or Scalar Demand Graphs for brev- 
ity, are acyclic demand graphs that have the property that the components 
are unilateral, i.e. for every pair of transitions at least one transition 
is reachable from the other by a path. The components thus look like 



t 
See §2.7. 



-22- 
chains and for this reason they are formally termed chains . The sec- 
Dion of a chain between any two transitions will be called a segment of 
the chain ; clearly, an arc of a chain is a segment of that chain. The 
demands associated with the arcs of simple demand graphs belong to the 
set of non-negative integers, and so does the capacity, C, associated with 
the system. The demands associated with the first and last arcs of each 
chain are 0. These arcs are called initial and terminal arcs of the 
chains, respectively. 

The Scalar Demand Graph is a model for a class of systems of pro- 
cesses in which resources are shared. The chains of a Scalar Demand Graph 
correspond to processes in the system represented by the graph. The 
transitions correspond to the epochs at which a change in resource usage 
occurs and the arcs to phases of activity of the processes, i.e. periods 
of steady resource usage. The processes can be said to be sequential as 
each phase can be followed by exactly one other phase. Moreover, as the 
sub-graphs consisting of chains are disjoint from each other, the pro- 
cesses they model can be said to be independent. The only interaction 
between processes is that due to sharing of resources. Later chapters 
will contain discussions that relate to broader classes of systems in 
which the processes are not so constrained. The demands associated with 
the arcs of the graph represent the demands for resources associated with 
the corresponding phases (of activity) of the processes. As the demands 
are integers, the processes modelled share a single type of resource from 
a common pool. The capacity, C, associated with a demand graph repre- 
sents the sise of this pool or the number of servers in this pool. The 
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different servers are identical in their capability to serve and thus the 

resource can be said to be homogenous — in fact, a resource of any one 
type will always be considered to be homogeneous. The requirement that 
adjacent arcs have distinct demands is consistent with the fact that the 
transitions represent changes in resource usage. Needless to say, the re- 
sources are shared in an unpreemptable manner so that deadlocks can occur. 
The zero demands associated with the initial and final arcs of each chain 
represent the fact that processes which are uninitiated or terminated re- 
quire no resource. 

Some of the notation to be used in the discussion which follows is 
described next. 

§2.4 Notation 

A demand graph is denoted by D with appropriate superscripts when 
two or more graphs have to be distinguished. The chains of a demand graph 
will be denoted by x. (chi-i) where the suffix is an integer and serves 
to identify the chain being denoted. In general, there will be m chains 
so that i assumes values from the set of integers {1, 2, 3, ...m}, which 
will be denoted by [1, m] . The arcs of the demand graph are denoted by 
their labels, a., where the superscript i identifies the chain and the 
subscript j the position of the arc on this chain. The arcs on a chain 
are numbered in increasing order in the direction of the arrows. The 
quantity n. represents the number of arcs on the chain X-- Thus j 
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takes values in the set [1, n.l for arcs on y . . Individual arcs are some- 

1 i 

times denoted by a and p\ The demand associated with an arc a. will 
be represented by d(o\)- The arrows on the chains will be assumed to be 
directed downwards, so that "down a chain" means in the direction of the 
arrows . 

Figure 2.2 shows a typical demand graph from the class of Scalar 
Demand Graphs and illustrates some of the notation. 



§2.5 Slices of a Demand Graph 

A slice of a demand graph is a set of arcs, one from each chain; 
the slice is said to intersect the chains in the respective arcs. A slice 
is thus conceptually similar to a cut-set of the demand graph — it par- 
titions the transitions of a demand graph into those that lie above it and 
those that lie below it. The transitions that lie above the slice make 
up the predecessor set of the slice and those that lie below, the suc - 
cessor set of the slice . The initial slice of a demand graph consists of 
the set of initial arcs and the terminal slice consists of the set of ter- 
minal arcs of the graph. 

Slices of a demand graph are represented by lower case Greek 
letters other than a and |3 — usually y. The initial slice of a demand 
graph is denoted by y and the terminal slice by y . The arc from a 
chain x- that goes into a slice y is represented by y n x. . . It is 
frequently necessary to refer to a slice obtained from another one by a 
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substitution of arcs. For this purpose a substitution operation on 
slices is used. The operation is represented as (x/y), and read "sub- 
stitute arc x for arc y"; arcs x and y must belong to the same chain. 
Thus (x/y)v represents the slice obtained by replacing arc y by arc x 
in y- The operation can be repeated so that expressions of the 
form (a'/a) (P '/P)y> which means "replace a and p by a' and p', respec- 
tively, in y"» are possible. The notation (a./Y H x . )v represents the 
slice obtained when the arc Y ^X- from the slice y I s replaced by the 
arc a.. Slices are also represented by a string made up of the labels 
of the arcs from X-t > Xo> ■••X (i- n order) that make up the slice. Thus 

19 1 1 9 9 

a. a a is another notation for v T and (a? la-. ) (a lot-,) ... ( 

111 I n- l n~ i 

(a™ /a^Yj is a ni a n2 . . . a™ or y t » Figure 2.3 shows several 

m i ? m 1 2 

slices; Yi is &\c£, Y 2 is a 2 a 1 » anc * so on " ^ s ^ as ^ een done ^- n 

Figure 2.3, the arrows on the arcs of demand graphs will be omitted in 
the figures that follow, unless clarity demands that they be shown. 

The slices of a demand graph represent all the states of the sys- 
tem of processes; the arcs composing a slice indicate which phase each 
process is in. The state of the system is also known as the allocation 
state of the system since the phases are characterised by steady re- 
source usage. It should be noted that the allocation state is not de- 
termined by the set of m demands (and also allocations) of the m processes 
but rather by the set of m phases — the same set of demands may be en- 
countered for several combinations of phases. The allocation state of the 
system before any process is initiated is represented by the slice Yj> 
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As the processes are initiated and progress, the slice representing the 
current state, i.e. the current slice , moves to lower and lower posi- 
tions in the demand graph until the state where all the processes have 
terminated is reached. The last state is represented by the slice v . 

§2.6 Relations on the Set of Slices of a Demand Graph 

Two relations, viz "earlier than or the same as" and "later than 
or the same as", can be defined on the set of slices of a demand graph. 
The relations have the same meaning as their names suggest intuitively. 
A slice y-i is said to be earlier than or the same as a slice Yo ^ 
the predecessor set of Yo includes the predecessor set of y.. Pred- 
ecessor sets are represented by P(y) and successor sets by S(y). 
The relation "earlier than or the same as" is written "=<". Thus 
Y, < Y 2 if p (Y 2 ) 2 p (Vi)- Similarly y 2 is later than or the same 
as Yt , written y„ > y., if S(y,) = S(y 2 ), i.e., if the successor set 
of y. includes that of Yo- A slice Yo is said to be an immediate 
successor of a slice y-i If Y-i ^ Yo an ^ if the predecessor set of 
Y 2 is larger than that of y-i by exactly one transition. In general, 
a slice has m immediate successors. The immediate successor of a slice 
Y is denoted by S.(y), where i identifies the chain on which the suc- 
cessor differs from y i n th e arc used. In Figure 2.3, Yi is tne 
same as S ? (Y n ) while Yo is S..(y, ). The strict relations corres- 
ponding to "<" and ">" are represented by "<" and ">" , 
respectively, and are mutually complementary. 
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The relations "<", ">", "<" and ">" are also used for arcs 
with the same meanings, i.e., a, ^ ot~, for instance, means that arc a-, lies 
above arc ot„ on some chain. In this connection, the arcs of a chain 
may be regarded as degenerate slices, i.e., slices of demand graphs that 
consist of single chains. 

§2.7 Partial Orderings and Lattices 

t 
A partial ordering is a reflexive antisymmetric and transitive 

relation. For example, the ordinary "less than or equal to" relation for 
integers is a partial ordering. A set with a partial ordering defined on 
it is a partially ordered set . As explained above, the set of integers 
is an example of a partially ordered set. A set is said to be totally 
ordered if every pair of elements is related by the partial ordering re- 
lation. The set of integers, for instance, is totally ordered. The set 
of pairs of integers is only partially ordered — for neither (2,3) < (3,2) 
nor (3,2) ^ (2,3) is true when "5" is interpreted as requiring that "^" 
hold for each pair of corresponding components. 

The least upper bound or l.u.b . of a subset, ^>, of a partially or- 
dered set, Q, is the smallest element of fi that is greater than or 
equal to every element of w. Thus the least upper bound of {3,5,7} is 
7 while that of {(3,2), (4,1), (2,5)} is (4,5). The greatest lower bound 



t 
Readers unfamiliar with these terms may wish to consult Birkhoff and 

MacLane's book [9] or a similar work. 
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or g.l.b. of a subset, w, of a partially ordered set, fi, is the largest 
element of Q that is less than or equal to every element of w. 

A lattice is a non-empty partially ordered set, every pair of 
elements of which has a l.u.b. and a g.l.b. A lattice is said to be a 
complete lattice if every finite subset of the lattice has a l.u.b. and 
a g.l.b. It can be shown that every finite lattice, i.e. a lattice with 
a finite number of elements, is complete. Every finite lattice, there- 
fore, has a least element and a greatest element which are respectively 
the g.l.b. and l.u.b. of the lattice. The set of pairs of integers from 
1 to 10 is a lattice whose least element is (1,1) and greatest element is 
(10, 10). A lattice is a distributive lattice if the operations of ex- 
tracting g.l.b. 's and l.u.b. 's distribute over each other. The lattice 
in the previous example is distributive. 

An element a of a lattice is said to cover another element b 

of the lattice if b ^ a but there is no other element x such that 

b ^ x < a. A connected chain in a lattice is a set of elements 

x, , x_, ... x such that each x. covers x. , ; the length of such a 
12 n i i-I 

connected chain is n - 1. Two elements x and x' are said to lie on 
a directed path from x to x' if there exists a connected chain whose 
first element is x and last element is x'. The length of such a di- 
rected path is the length of the connected chain. The Jordan-Holder- 
Dedekind Theorem for lattices implies that the lengths of all directed 
paths between a pair of elements of a distributive lattice are equal. 
For the example in the previous paragraph, the length of any directed 
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path from (2,3) to (5,5) is 5 since 4 elements are required to connect 
them, e.g. (3,3), (4,3), (5,3), (5,4). Because of this property of dis- 
tributive lattices, the elements of a distributive lattice can be ar- 
ranged into ranks — elements at the same distance from the least ele- 
ment of the lattice lie on the same rank. 

§2.8 The Lattice of Slices of a Demand Graph 

The slices of a demand graph of the kind illustrated in Figure 2.2 
form a distributive lattice under the relation " < ". The greatest ele- 
ment of the lattice is y t while the least element is y ] .. Figure 2.4 
shows the lattice of slices of the demand graph of Figure 2.3. The 
height of the lattice, i.e. the length of a directed path from y x to 

v is (n, - 2) + (n„ - 2) + ... + (n - 2) or the total number of trans- 
,r p 12 m 

itions in the graph. 

The l.u.b. of the two slices y ± and y 2 in Figure 2.3 is Y3 
while their g.l.b. is Yq- This can also be seen in Figure 2.4 where 

Y is ajo^ and Y 2 is ff l a 2' while Y 3 and Y are a 2 a 2 and 

1 ? 12m 

otZou, respectively. In general, the l.u.b. of two slices a v Q?r 2 "' a r m 

and a 1 a 2 ...a™ is the slice ar t a t ... a* where t = l.u.b. 
sj. s 2 s m t t z 2 tjj 1 

(r , s.), and similarly for the g.l.b. of two slices. 
1' 1 
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§2.9 Feasibility and Safeness of Slices 

A move on a chain x< in a demand graph is a function whose do- 
main is the set of all slices which intersect x- in a given arc and 
whose range is the set of immediate successors of these slices on x«- 
A move is thus defined by a pair of typical elements from its domain 
and range. If a slice, y, is in the domain of a move, u, then the 
corresponding element, y' , in the range of |j. is the slice resulting 
from the application of the move to the slice y and is represented by 
Y|j.. If a move |j., leads from y-i to Yo then p. is also represented 
by Yi -♦ Yo- Two moves, \j.. and n_, are said to be connected if they can 
be represented in the form y, -+ Yo anc * Yo -* Yo> respectively. A macro - 
move is a sequence of moves, every pair of which is connected. The se- 
quence of slices Y-iYoYo • • • Y^ is a connected sequence of slices if the 
sequence of moves Yi -* Yo, Y 2 "♦ Yo • • • » Y k _-i ■♦ Y, is a macro-move. A 
macro-move from the initial slice, y t j of a demand graph to its terminal 
slice, y t> is called a run . A uni-chain macro -move is a macro-move all 
of whose components are moves on the same chain. 

A slice is said to be feasible if the sum of the demands asso- 
ciated with the arcs in it is no greater than C, the capacity associated 
with the demand graph. A slice that is not feasible is infeasible . A 
feasible slice of a demand graph is safe if there exists a macro-move 
from it to the terminal slice of the graph and if the slice resulting 
from the application of each move in the macro-move is feasible, i.e., 
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if there exists a connected sequence of feasible slices from the slice 

in question to the terminal slice of the graph. A slice that is not 

f 
safe is said to be unsafe . Figure 2.5 shows a safe slice and the moves 

that lead from it to y t - I n terms of the lattice of slices, a slice y 
is safe if there exists a directed path from y to Y T , the terminal 
slice of the graph, that uses only feasible slices. 

In terms of the system of processes represented by a demand graph, 
a feasible slice represents a meaningful allocation state. A feasible 
slice that lies on a directed path from y t which uses only feasible 
slices represents an attainable allocation state. That a slice is safe 
means that there exists a schedule for the processes that leads, from the 
state of the system represented by the slice, to the state in which all 
the processes have terminated; for each feasible slice resulting from the 
application of a move to a feasible slice that represents an attainable 
state, itself represents an attainable state. A slice all of whose 
immediate successors are infeasible represents a state of deadlock. 
The slice representing the current state is referred to as the current 
slice . That the current state is not safe, or is unsafe, implies that 
every sequence of macro-moves when applied to the current slice eventu- 
ally leads to a slice all of whose immediate successors are infeasible; 
there is no schedule for the processes that permits all the processes to 
complete — deadlock is unavoidable. Because of this association of 
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It should be noted that if Habermann's analysis were used in this ex- 
ample, the slice marked safe would be declared unsafe. The larger num- 
ber of slices that can be safe is indicative of the ability to improve 
resource utilization that the systems discussed here possess. 
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§2.10 Representation of Habermann's Systems 

It will be recalled from the discussion of Chapter 1 that 
Habermann studied deadlock avoidance in systems of independent sequential 
processes in which the only available a priori information about resource 
usage by processes is that of the maximum amount of each kind of re- 
source that a process uses. Such systems will be known as Habermann 
systems. As the discussion in this chapter (and Habermann's analysis in 
[2]) concerns systems with a single type of shared resource, the maximum 
amount for that resource can be assumed to be available in such a system. 

The demand graphs of Figure 2.6a and b represent such systems. In 

Figure 2.6 max. represents the maximum amount of resource that process i 

ever uses. There are max. arcs, in addition to the initial and terminal 

l 

arcs, on chain x- in Figure 2.6b. Figure 2.6b permits representation 
of allocation states in which a process has been allocated some resource 
but not the maximum amount it ever needs — this is not possible in Fig- 
ure 2.6a. 

In either of the demand graphs of Figure 2.6, it is clear that a 
slice is safe if and only if a sequence of uni-chain macro-moves, each 
of which consists in crossing all the remaining transitions on the chain, 
can lead from the slice to y t by way of feasible slices alone. This 
is because the demands increase monotonically up to the penultimate arc 
on each chain. When interpreted this means that a state is 
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represented by a safe slice if and only if the processes can be scheduled 
so as to run to completion one at a time (no interleaving of processes). 
This is exactly Habermann's Theorem 1 in section 2.3 of his thesis [2], 
As they stand, neither of the demand graphs of Figure 2.6 really 
model Habermann systems in all their detail when Habermann's model is 
interpreted broadly. Firstly, they suggest that allocation to processes 
is made either all at once (Figure 2. 6a) or one server at a time (Figure 
2.6b) and this need not be assumed in Habermann systems. However, as 
phases of processes may last for vanishing ly small lengths of time, the 
representation of Figure 2.6b does not represent a serious distortion. 
Secondly, after a process has been allocated the maximum amount of re- 
source it ever uses, both the graphs suggest a sudden return en bloc. 
This behavior is not necessarily shown in Habermann systems either. How- 
ever, the next section shows that partial return of resources by pro- 
cesses at unknown stages can be represented in the demand graphs for such 
systems. Thus Habermann's systems are indeed special cases of the sys- 
tems that can be represented by rectilinear demand graphs. 

§2. 11 Dynamically Available Resource Usage Information 

Consider the demand graph of Figure 2.6b. Suppose a slice such 
as y were safe. This implies the existence of a sequence of uni-chain 
macro-moves that lead from y to y t by way of feasible slices and each 
of which involves crossing all the remaining transitions on a chain. 
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Consider a segment of a chain that lies entirely below y and that does 
not include the terminal arc. If this segment is replaced by another 
segment, that is of any length whatsoever and the demand on whose arcs 
does not exceed the largest demand of any arc in the segment removed, 
then it is clear that the same sequence of macro-moves can still be used. 
The slice y is thus safe in spite of this substitution. Figure 2.7 il- 
lustrates this for a specific example. For general scalar demand graphs 
of the kind illustrated in Figure 2.2, if the replacement is restricted 
to segments consisting of single arcs, then a similar assertion can be 
made. 

One can interpret the discussion of the previous paragraph as im- 
plying that any information about future resource usage that becomes 
available dynamically can be accommodated without deleterious effect if 
the new information does not contradict an earlier and more conservative 
estimate. In general, the addition of such information makes safe some 
states that were unsafe before and thus improves the potential for ef- 
ficient utilization of resources (see Figure 2.7b). 

It should be clear, now, that it is possible to use demand graphs 
to represent systems that exhibit the kind of behavior that Habermann 
systems can display, i.e., systems that return resources partially. 

The discussion of this section shows that demand graphs can be 
used to represent systems in which additional information about re- 
source usage becomes available during the running of processes. 
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§2.12 Safeness Tests 

It was indicated in section 2.8 that the avoidance of deadlock re- 
quires ensuring that the allocation state is always represented by a safe 
slice. It is important, therefore, to be able to test a slice for safe- 
ness . 

One could examine all the slices of a demand graph for feasibility 
and eliminate those slices that are infeasible from the lattice of slices. 
Then a slice is safe if a directed path from it to y t still exists. 
By examining every slice for safeness in this manner one could mark all 
slices that are safe. An allocator desirous of investigating the safe- 
ness of a slice, then, need merely determine if it is marked safe. 

m 
Unfortunately, there are II n. slices in the lattice while in any run 

m i=l 

only 1 + Z (n. - 1) slices are encountered. Much of the effort in such a 

1=1 L 
scheme is thus wasted. Moreover, if a new chain is added to the graph 

(corresponding to addition of a process to the system), a similar compu- 
tation has to be re-done! For these reasons, the safeness tests that are 
of interest to a resource allocator are incremental tests, i.e., those 
that test a single slice at a time for safeness — presumably the slice 
that represents the next state that may become current. Such tests will, 
in general, attempt to construct a sequence of moves from a test slice 
to y while ensuring that each move results in a feasible slice. 

The next section describes a safeness test in the form of an al- 
gorithm for the construction of a sequence of the kind described. An 
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important virtue of this algorithm is that it is non-enumerative, i.e., 
it does not require the examination of all possible sequences of moves 
from the slice being tested. 

§2.13 The Safeness Algorithm 

The slice being tested is assumed to be a. The slice y is a 

variable of the algorithm, as is the set fx} which consists of chains 

of the demand graph. 

Step 0: Set y equal to a and {x} equal to (xi.Xoj ■ • • X_J • 

Go to step 1 if y is feasible. If y is infeasible go to 
step 5. 

Step 1: Pick a chain from {x } — call it x.. Go to step 2. 

Step 2: Attempt to construct a uni-chain macro-move down \. from y 
so that the slice resulting from each component move is fea- 
sible. Terminate the macro-move at the first point where a 
slice — call it y' — results that satisfies both 

d(v' n Xi ) * d( Y n Xi ) 

and d(S i (Y*) U x ± ) i d( Y ' □ X^ 

If such a sequence can be constructed go to step 4; if not 
(i.e., if some move results in an infeasible slice) go to 
step 3. 
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Step 3: Delete x- from {X}. If {X} is now empty, go to step 5; 

if not go to step 1. 
Step 4: If y 1 is not Y T , then replace y b y y'> set (x) equal to 

(Xi.Xoj ••■X_} and go to step 1. If y' is y t then stop 

and report success (<r is safe). 
Step 5_: Stop and report failure (a is unsafe). 

It is clear that when the Safeness Algorithm (called SA for 
brevity) terminates successfully, cr is safe. Theorem 2.1 below shows 
that when SA terminates unsuccessfully, a must be unsafe. An interpre- 
tation of the algorithm shows that it seeks the first local minimum of 
demand that can be found next. When such a local minimum is found, the 
search is iterated for the new slice and this continues until y t is 
reached. Figure 2.8 shows a sequence of moves constructed by means of 
the Safeness Algorithm. 

The proof of Theorem 2.1 uses the concept of barriers. A barrier , 
p., on a chain, x- . with respect to a slice y is an arc on x^ tnat is 
the first arc below y for which the predicate {(P./y H X i )Y i- s an in ~ 
feasible slice} is true. 

THEOREM 2.1 A feasible slice, a, of a demand graph, D, is 
safe if and only if the Safeness Algorithm terminates suc- 
cessfully when applied to a and D. 
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An examination of SA shows that every uni-chain macro-move in 
Step 2 of SA leads to a slice y' which satisfies: 

d(y' Hy. ) ^ d(a) for all arcs 0/ that lie between y and 
y' (inclusive) on y . , 
Thus it is seen, by a chain of deductions, that y satisfies 

d(y XI y.) ■-; d (::, ) for all arcs a that lie between a and 
y n (inclusive) on y. 
for all chains y. . 

Therefore, in particular, 

ri, X """ v ,) < J(Y, "' X • ) 
'-' J s 1 

Therefore, (\^ X v . / \ Xy.)y is feasible; for y is feasible, 
u 3 j s ' s 



Case 2 y '- I . * V - X ■ < P . 
1 s - -j j 

In this case (as explained at the beginning of the proof) too 

■ [( .y n '"- x :') < <J(y ~ x • ) 

U j S \] 

and so (y " \./y "' y .)\ is again a feasible slice by virtue of the 
U j s ; s J 



feasibility of y 



s 



Thus in either case, one can replace all the arcs in y except 

s 

P k by the corresponding arcs of y and still get a feasible slice. 
But the resulting slice is ( ( y ,/y X |3, )y_ and this is infeasible by as- 
sumption! ill is contradiction implies that y and hence the sequence 
33 cannot exist. Thus, - must be unsafe. 

That c is sare it SA terminates successfully, follows from the 
definitions of safeness and successful termination. 

Q.E. !). 
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Theorem 2.1 shows that any macro-move of the kind that leads from 
a to a slice y 11 '""' which is of the form described in Step 2 of SA 
can be applied fearlessly to a in the construction of a feasible se- 
quence of slices from <j to y T — backtracking beyond y' ' ' ' ' ' is never 
required. This leads to Corollary 2.1.1. 



COROLLARY 2.1.1 Let a be a safe slice of a demand graph 

D and let a. be an immediate successor of a resulting 

from a move down a chain y.. Let a. be feasible and let 

l l 

M-n M- 2 '•• l\ ^ e a macro-move that leads from a. to a slice 
a! by way of feasible slices. Then if 
(i) d(a| U X± ) <: d(a n% t ) 

and (ii) d(a! Ux.) <: d(a U%.) for 

all chains v. on which a.' and a 
J ! 

differ in the arcs chosen 

then ct. is a safe slice, 
l 



The corollary follows since |x. u_ . . . u is a macro-move of the 
kind described in the paragraph above Corollary 2.1.1. 

If the macro-move ix. n_ . . . |a. in Corollary 2.1.1 is a uni-chain 
macro-move down \. then the test is simplified considerably. Thus it 
should be profitable to look for such a uni-chain macro-move. In any 
case, as long as ct! < y some labour is saved. 
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COROLIARY 2.1.2 Let a be a safe slice of a demand graph 
and let a. be S . (a). Then if d(o\ U\.) £ d(a U v. ) 

then ct . is safe . 

l 



This corollary follows from Corollary 2.1.1 since the move a -* a . 
is itself the macro-move that satisfies the conditions of that corollary. 

Theorem 2.1 and its corollaries point out that the Safeness Algo- 
rithm, shortened as suggested in Corollary 2.1.1 and 2.1.2 whenever pos- 
sible, provides a simple test for the use of an allocator of resources. 

It should be pointed out that a sequence of feasible slices from 
a to y t which is constructed by the Safeness Algorithm does not repre- 
sent the actual schedule or order in which processes will be allowed to 
proceed (by the allocator). The actual order may be quite different, 
being determined by actual requests from the processes, to be permitted 
to proceed to their respective next phases of activity, together with 
considerations of safeness of the slices corresponding to the allocation 
states of the system which would result if the requests were granted. 
This is the incremental aspect of tests that was referred to earlier. It 
is this incremental approach that permits dynamic increase of the number 
of processes in the system as well as the dynamic changes, in the de- 
mand graphs of processes already in the system, that were described in 
section 2.11. 
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§3. 1 Rectilinear Vector Demand Graphs 

The discussion and analysis of Chapter 2 dealt with the represen- 
tation and analysis of systems in which a single type of resource is 
shared from a pool in an unpre-emptable manner. As the construction 
analogue of Chapter 1 illustrates, however, there are many systems in 
which more than one type of resource are so used. An extension of the 
analysis of deadlocks to systems with multiple resource types, or 
multi-resource systems , for brevity, is therefore of interest and is the 
goal of this chapter. 

Sections 3.11 and 3.12 illustrate how the sharing of locked data 
bases in computer systems and Job Shop Scheduling can be analysed using 
the representation and analysis developed in Sections 3.2 to 3.10. 

Multi-resource systems can be represented by Rectilinear Vector 
Demand Graphs , or Vector Demand Graphs for brevity, which are struc- 
turally identical to Rectilinear Scalar Demand Graphs except that A 
for such graphs is the set of n tuples of non-negative integers for some 
specified n. The arcs of Vector Demand Graphs, therefore, have n- tuples 
or vectors of demand instead of scalar demands associated with them- 
selves. The vectors of demand are represented by d(a) to emphasize this 
difference. As before, convention dictates that the initial and terminal 
arcs of each chain have zero demand, i.e. (0, 0, ... 0), associated with 
them. Figure 3.1a illustrates such a demand graph. 
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The terminology of Chapter 2 carries over mutatis mutandis — 
the qualification refers to the replacement of a scalar capacity, C, by 
a vector capacity, C, and of scalar inequality by vector inequality. 

§3.2 A Transformation for Vector Demand Graphs 

A peculiar phenomenon appears in Vector Demand Graphs in 
connection with safeness. It will be noticed in Figure 3.1a that the 
slice of D marked y is unsafe because both y-i an d Yo> the two slices 
which are immediate successor slices of y> are infeasible. However, y' 
is feasible. Moreover, in the system which is represented by D, the 
state represented by y' can be attained just after that represented by 
y; for it merely corresponds to responding (favourably and) simultane- 
ously to the requests from two users to be permitted to proceed to their 
respective next phases of activity. Thus the state corresponding to y 
should be safe. 

To be able to make y safe would require changing the definition 
of a move to permit crossing of several transitions in a move. 

However, representation of such simultaneous or multiple moves 
in the lattice of slices requires addition of a large number of paths to 
the lattice; for at each node of the lattice there would be, in general, 
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possible successors, viz the slices that can be reached by multiple moves 
that involve crossing up to r transitions simultaneously. Moreover, an 
algorithm such as the Safeness Algorithm has to examine these 2 r possible 
successor slices one by one until its test is satisfied. This increases 
immensely the amount of work involved in examining the safeness of a 
s lice . 

Fortunately, a transformation of the demand graphs (as illustrated 
in Figures 3a and 3b) produces a demand graph in which every slice of the 
original demand graph that was safe, when multiple moves are permissible, 
is safe when only single moves are permissible. The transformation op- 
erates on pairs of adjacent arcs, typified by a and a say, on each 
chain. Whenever d(o' 1 ) i d(a ) and d(ry) 4 &{o., ) (where "<;" is under- 
stood in the usual vector sense of each component of the Left Hand vector 
being less than or equal to the corresponding component of the Right Hand 
vector), an arc aj is introduced between a and oi with a demand 
which is the greatest lower bound of the two vectors d(a, ) and d(a„). 
Thus a l < aj < o^ and d(a ) > d(a ) < d(a ). It should be clear that 
these arcs which are inserted provide a sequence of single- transition 
moves between every pair of slices of the type y and v' in Figure 3.1, 
with only feasible slices resulting from the moves. 

As the transformation described above is vital to the accuracy of 
representation and analysis of multi-resource systems by demand graphs, 
it will be presumed that such a transformation is carried out before any 
algorithms or tests are applied to demand graphs. However, the trans- 
formation is not crucial to the analysis that is presented. 
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§3.3 The Modified Safeness Algorithm 



As in Chapter 2, an incremental algorithm for the determination 
of the safeness of a slice is desirable. It is tempting to try and use 
the Safeness Algorithm of Chapter 2 with a vector comparison in step 2, 
instead of a scalar one. That step would read: 

Step 2: Attempt to construct a imi- chain macro-move down 

\ . so that the slice resulting from each component 
move is feasible. Terminate the macro-move at the 
first point where a slice y' is reached that 
satisfies : 

d(y' ~ X- ) ^ d(y H x- ) where "-<" is 

, , v _ .,,,,_ x interpreted as 
and d( s. (Y ) - X-) * Ky' - X • ) 

i i r 

holding for all 
components simul- 
taneously . 
If the attempt is successful, go to step 4; if not 
(i.e., if some move results in an infeasible slice), 
go to step 3. 
Consider Figure 3.2a. Were one to apply the algorithm as modified 
above to slice y, one would get to y", by way of y', and discover that 
no moves from y" result in feasible slices. Unfortunately, the failure 
of the algorithm at y" does not imply (as it would in the case of the 
Safeness Algorithm for Scalar Demand Graphs) that y is unsafe. For 
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the sequence of slices Y - Y " Y ~ Y > in that figure, shows part of 
a full sequence of feasible slices from y to y t - 

The slice y suggests that avoidance of erroneous moves requires 
changing the condition to be satis if ed by y' in step 2 of the algorithm 
above to 

d(Y' U X.) £ d(6 H X-) for all slices 6 that lie between 

1 y and Y* (inclusive) 

and dCS^v') n Xi ) i d( Y ' U X± ) 

Corollary 3.1.2 of Theorem 3.1 below proves the validity of this conclu- 
sion. The Safeness Algorithm of Chapter 2 with the condition in Step 2 
replaced according to this suggestion will be referred to as the Modified 
Safeness Algorithm . 

A few definitions are required for the precise statement of the re- 
sult of Theorem 3.1, and these follow. 

§3.4 The Prefix Property 

The set of extensions . E d (y), of a demand graph . D, with respect 
to a slice , y, of D is the set of all demand graphs which are identical 
to D up to y> have the same capacity associated with themselves as D, and 
have at least one arc below y on each chain. The demands 
associated with the arcs below y are not constrained except by the def- 
inition of a Vector Demand Graph. A member of E (y) is called an ex - 
tension of the demand graph . D, with respect to the slice y- Figure 3.2b 
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shows an extension of the demand graph of Figure 3.2a with respect to Y • 
Extensions of a demand graph with respect to a slice represent possible 
continuations of the demand graph beyond that slice. 

A feasible slice, y 5 of a demand graph, D, which can be reached 
by a connected sequence of feasible slices from an earlier slice, a, is 
said to possess the prefix property with respect to the slice , c, if in 
all extensions of D with respect to y in which a is safe, y is safe 
too. Let P be the prefix relation "possesses the prefix property with 
respect to ". Then P is clearly transitive, so that cPy and -yPy ' 
implies aPy'- This transitivity is very valuable and will be utilized 
extensively . 

§3.5 Necessary and Sufficient Conditions for the Prefix Property 

In terms of the prefix property, it will be seen that for Scalar 
Demand Graphs, the condition of Step 2 of the Safeness Algorithm (see 
Chapter 2) is sufficient for possession of the prefix property by a slice, 
i.e. by y' with respect to y- Lemmas 3.1 and 3.2 state necessary and 
sufficient conditions, respectively, for a slice of a Vector Demand Graph 
to possess the prefix property with respect to another slice. In these 
lemmas and in the rest of this thesis, the term " accessible " means "can 
be reached by a connected sequence of feasible slices". Also, 
"d (a slice)" is the concise notation for the sum of the demands on the 
arcs in the slice — the object in parentheses may be only a part (subset) 
of a slice and then the notation stands for the sum of the demands on the 
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arcs in that part of the slice. The term "a move fits a slice feasibly " 
in the proofs of these lemmas means that the slice, y> is feasible and 
in the domain of the move, u, and YM- is a feasible slice. A macro- 
move fits a slice feasibly if each component move fits feasibly the slice 
resulting after the previous component moves have been applied. 
Note : The case in which a slice of a demand graph passes through only 
one arc that has a non-zero demand is a degenerate one. That is to say, 
every such slice possesses the prefix property with respect to any earlier 
slice from which it is accessible; for one process-at-a-time completion is 
possible, as the demand on each arc of the demand graph does not exceed 
the capacity of the graph. For this reason that case has been excluded 
from consideration in Lemmas 3.1 to 3.3 and in Theorem 3.1. 

LEMMA 3 . 1 Let D be a vector demand graph and let v be a 
feasible slice of D that contains at least two arcs having 
non-zero demands. Further, let a be a feasible slice of D 
from which y is accessible. Let D be the extension of D 

with respect to y defined by Figure 3.3 and 6 be any slice 

* 

of D that is of the form F.. defined below. Then the 

slice y possesses the prefix property with respect to a 
only if whenever the slice 5 is accessible from o", the 
slice y is not accessible from 6,. 



Form F. A slice, 6.., of this form satisfies the 
following conditions : 
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(i) ct < 6 X < y 

(ii) 6- and y share at least one arc that has a 
non-zero demand. 

(iii) d( Y ) 4 d(6 x ) 

PROOF : Suppose that the condition is violated, i.e. a slice 
6 1 of the form F.. is accessible from a and y is accessible from 
6,. Let X- be the chain on which the arc common to y and 6^ lies. 

Consider the extension D* of D with respect to y that is 
defined by Figure 3.4 (the chains have been rearranged for drafting con- 
venience). 

The slice y I s not safe in D ' as tne values for the demands, 
d have been chosen so that the only slice later than y from, which 
y' the terminal slice of D 1 , is accessible is y' and y' is not 
accessible from y because d(Y) 4 d(6-). 

However, 6 \ , is clearly accessible from 6- and has a smaller 
demand on each chain than 6 .. , i.e., 

d(6[ n x t ) * d(6 x nx.) for all chains x ± - 

Thus, since y is accessible from 6., y' must be accessible from 6^. 

Now it is clear from the figure that y' is safe in D '« Conse- 
quently, the sequence of macro-moves 6 -♦ 6 ' , 6'-+ y' an( * Y* -♦ Yj I s one 
which produces a connected sequence of feasible slices from 6 to y^. 
Thus 6 is safe in D 1 and, consequently, a is safe in D*. 
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However, y is not safe in D 1 . Thus y cannot possess the 
prefix property with respect to a. 

Q.E.D. 

An immediate consequence of Lemma 3.1 is Lemma 3.2 

LEMMA 3.2 Let D be a vector demand graph and let y be a 
feasible slice of D that contains a least two arcs having 
non-zero demands. Further, let a be a feasible slice of D 
from which y is accessible. Let D be the extension of 
D with respect to y defined by Figure 3.3 and 6_ be any 
slice of d" of the form F„, which is defined below. Then 
the slice y possesses the prefix property with respect to 
ct only if each such 6 is inaccessible from a. 

Form F ? A slice 6„ of this form satisifes the 
following conditions: 

(i) a < 6 2 < y 

(ii) 8 and y share at least one arc that has 
a non-zero demand. 

(iii) d( Y ) i d(6 2 ) 

(iv) d(6 Dx.) ^ d(p nx-) for a11 slices, p, 
1 L which lie between a 

and 6 2 (inclusive) 
and for all chains, 

X,- 
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PROOF: It need merely be shown that condition (iv) in Form F„ 
implies that Y is accessible from 6 2 , for then the result follows from 
Lemma 3.1. 

Since y is accessible from a, there exists a sequence, M, of 
moves from a to Y , say it is ^^ ... M Then au^ ••• H = Y- 
Also, the slice resulting from the application of each move is feasible, 
i.e., each n ± fits the slice au^ ... u^ feasibly. Let u. be 
the first move in M that has the property that 

CT ^2 ••• ^-1 <6 2 
but CT^^ ... n jS 6 2 

i.e., M-^ is the first move to cross 5 . Then, by virtue of condition 
(iv) in the definition of form F„, 

d(6 2 ) <; dfan^ ... u^) 

Thus, u fits 6 feasibly. 

Similarly, u ^ +1 fits 6 2 u feasibly, and so on up to (j. where 
the first move to cross 6 



u is the first move to cross 6 completely, 



o^ 2 ... ^ ? 6 2 
but a^u 2 ... Mp >6 2 

At this point, an^ ... |i p = 6 2 ^M- £+1 • •• u and, consequently, 
the macro-move Up+1 ... u fits ct^u 2 ... u feasibly. 
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Thus \i^ ... a is a macro-move that fits 6 feasibly and 
6 2^£ "•• ^ q = Y- Thus y is accessible from 6 . 
[Some moves, u , produce no apparent effect 

i.e. 6 2 n £ ... % = 6 2 ^ ... Vl 



These moves are those that produce an immediate successor on a 
chain that still inter: 
moves can be ignored.] 



chain that still intersects the chain at or above 6„. These 



Q.E.D. 
LEMMA 3.3 Let D be a vector demand graph and y be a 
feasible slice of D that contains at least two arcs that 
have non-zero demands. Further, let a be a feasible slice 
of D from which y is accessible. Let D be the extension 
of D with respect to y defined by Figure 3.3 and 5 be 
any slice of D that is of the form F 3 , which is defined below. 
Then y possesses the prefix property with respect to ct if 
whenever 6 3 is accessible from a, y^ the terminal slice of 
D , is not accessible from 6 . 

Form F 3 A slice 6 , of this form, satisfies the 
following conditions: 

(i) ct ^ 6 3 

(ii) Either 6 and y share at least one arc 
that nas non-zero demand, or 6„ includes 
at least one terminal arc of D . 
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a^M.2 ... u 1 f> y 



oy.^2 ... u > y 



Moreover , 



a Ml n 2 ... u p = y^ £+l • . • n p 

so that the macro-move u , - ... u fits YM--M-- . n ••• l-i feasibly. 

p+i q j6 X/Ti. p 

Thus u |a. » ... (a is a macro-move from y to Y^ that has 
the property that each |_i fits YI-UU. , ••• M- _i feasibly. Thus y is 
safe. 

Therefore, y possesses the prefix property with respect to ex. 

Q.E.D. 

An immediate consequence of Lemma 3.3 is Theorem 3.1. 

THEOREM 3.1 Let D be a vector demand graph and y be a 
feasible slice of D that includes at least two arcs that 
have non-zero demands. Further, let a be a feasible slice 
of D from which y is accessible. Then y possesses the 
prefix property with respect to c if 

Ky nx.) ^ d(p Hx-) for a11 slices, p, that lie 

1 X between a and y (inclusive) 

and for all chains, X- 

PROOF ; From the condition of the theorem it follows that con- 
dition (iii) of Form F„ cannot be met by any slice satisfying conditions 
(i) and (ii) of that Form. The result, therefore, follows from Lemma 3.3, 
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Th e results proved above have little intuitive meaning and their 
principal use is in proving Theorem 3.3 later. The reader should sat- 
isfy himself that the necessary and sufficient conditions in Lemmas 
3.1 and 3.3 are compatible. Figure 3.5 shows a slice, y, which pos- 
sesses the prefix property with respect to another slice, a, even though 
the conditions of Theorem 3.1 are violated — the conditions of Lemma 3.3 
are met, however. Theorem 3.1 provides the basis for the Basic Algo- 
rithm, which is presented later. 

§3 . 6 Inadequacies of the Modified Safeness Algorithm 

Theorem 3.1, stated above, shows that the slices, y's produced in 
Step 2 of both the Safeness Algorithm of Chapter 2 and the Modified Safe- 
ness Algorithm possess the prefix property with respect to the slices Y- 

Tie prefix property states that partial sequences of feasible 
slices possess extensions that lead to the terminal slice. Theorem 2.1 
showed that, in addition to producing slices with the prefix property, 
the Safeness Algorithm of Chapter 2 was always able to construct the ex- 
tension. Unfortunately, such is not the case for the Modified Safeness 
Algorithm, and Figure 3.6 illustrates this. In that figure, the Modified 
Safeness Algorithm fails at y even though there is an extension, viz 



Y ~ Y " Y ~ Y • • • Y T j °f the sequence o" - Y- The Modified Safe- 
ness Algorithm thus needs to be augmented by an algorithm that con- 
structs such an extension when the former is unable to — the Crutch 
Algorithm given below is such an algorithm. 
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The example of Figure 3.6 shows that the reason that an extension 
of the sequence a - y exists, even when the Modified Safeness Algo- 
rithm is unable to find one, is that the demand on the arc marked a! 
is sufficiently low in a crucial component, viz the first one, to enable 
a macro-move down Xo to i- ts terminal arc to fit feasibly in spite of 
the fact that the demand on al is not vectorially less than that on 
Y H Xi • An arc such as al is called a crutch for the obvious reason. 
An arc, or., on a chain, x-> of a demand graph, D, is said to be a crutch 
with respect to a slice , y, of D if the following relation is satisfied: 

d(a t ) * d( Y n Xi ) 

The example in Figure 3.6 also points out that the Modified Safe- 
ness Algorithm fails at a slice, y» °f a demand graph when moves down 
each chain result (eventually) in an infeasible slice before the con- 
diton in Step 2 of that algorithm is satisfied. The arcs on the chains 
which correspond to these infeasible slices are thus barriers (see the 
arcs marked P-, p and p„ in Figure 3.6 for instance). An arc, p., on 
a chain, y^ I s said to be a barrier with respect to a slice , y» which 
lies above it, if p. is the first arc on x- after Y ttX- such that 
the slice (P./yHx.)Y is infeasible. When the Modified Safeness Al- 
gorithm fails at a slice, y> then a barrier with respect to y exists 
on each chain of the demand graph. 

The role of the augmentative Crutch Algorithm can now be ex- 
plained. When the Modified Safeness Algorithm fails while testing a 
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slice a for safeness, there exist barriers, p. on Xj> with respect to 
the last slice possessing the prefix property with respect to the 
slice a. If no crutches with respect to y lie between y and the 
P's, then extension of the sequence a ... y to Y T is not possible 
and ct is unsafe. When such crutches can be found, such an extension 
of the sequence may exist (see Figure 3.6, for instance). The function 
of the augmentative algorithm is to examine the possibility of using the 
crutches to cross a barrier. The slice y in Figure 3.6 shows that not 
all crutches are (equally) useful. Figure 3.7 shows that more than one 
crutch may need to be used — in fact as many as m - 1 crutches may 
need to be used — to cross a barrier. The Crutch Algorithm should, 
therefore, be capable of examining all possible combinations of crutches 
that may prove useful. 

Augmentation of the Modified Safeness Algorithm produces the 
Augmented Safeness Algorithm (ASA for brevity). This algorithm is 
rather complicated to follow and so it is preceded by a prologue which 
explains the interaction between the components of the ASA and shows a 
model for the working of the ASA in terms of a growing tree. 

§3.7 Prologue to the Augmented Safeness Algorithm 

The Augmented Safeness Algorithm is really a shell algorithm, in 
that it calls the Basic Algorithm iteratively until BA fails or until 
it is found that the terminal slice, y t » is accessible from the test slice. 



*1 
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The Basic Algorithm (BA) uses the test in Theorem 3.1 to seek s 
slice that is accessible from the slice ", which is one input parameter, 
and that possesses the prefix property with respect to u. Occasionally, 
BA encounters barriers on all the chains and then it resorts to the 
Crutch Algorithm (CA) . CA merely advances the slice to y , a slice 
passing through a crutch, and calls BA. If BA again encounters barriers, 
it resorts to CA once more, and so on, so that calls to BA and CA can 
be nested. If BA does not encounter such barriers it seeks slices ac- 
cessible from y and possessing the prefix property with respect to 
it. It tests these slices, y 1 , to determine if y'P w and if so, to 
declare success. If-ry'P^it continues its search. Thus the success 
of BA always results in a slice, y , being returned that satisfies y P w . 
The slices y 1 are said to be conditionally acceptable since it may or 
may not be true that y'P", but it is true that y' p Y • I f y'P^, then the 
slice y' ■ is said to be acceptable ; for instance, y i- s always an ac- 
ceptable slice. 

The activity of ASA and its components can be modelled by a 
growing tree whose nodes represent slices. Each slice represented by a 
node is accessible from the slice represented by a node preceding it in 
the tree. The shape of a node reflects the characteristics of the slice 
represented. Square nodes represent acceptable slices. If a square 
node representing the slice Y-i precedes a square node representing the 
slice Yo» then Y ? P Yi • Tb- e test slice, cr, is at the root of the tree and 
is represented by a square node. An asterisk- like node represents a 
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slice passing through a crutch relative to the slice represented by the 
node immediately preceding it. Triangular nodes represent condition- 
ally acceptable nodes. If a triangular or asterisk-like node repre- 
senting the slice Yo precedes a triangular node representing the slice 
Y,, then Y^ P Y3« The plain nodes represent slices that are dead-ends. 

The activity of BA appears as in Figure 3.8a, while that of the 
full ASA appears as in Figure 3.8b. 

Readers may find Figure 3.8b of value in understanding the Aug- 
mented Safeness Algorithm. 

In the statement of the ASA, the word "invocation" is used to 
mean "activation" and relates to recursive performances of algorithms. 
The term hump in the statement of the Crutch Algorithm refers to an 
arc whose demand is no less than that of the next arc. 

§3.8 The Augmented Safeness Algorithm 

The slice whose safeness is being examined will be denoted by cr. 

There is an internal variable, |j., which is a slice. 

Step 0: Set [i equal to a . If u = 0™, note that a is safe and stop; 
if not, go to Step 1. 

Step _1: Perform the Basic Algorithm with y an ^ u set equal to u 
and X set equal to §, the empty set. If the algorithm 
terminates unsuccessfully, go to Step 3; if not, set a equal 
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to v , tlie value returned, and go to Step 2. 
P 

Step 2: If ;i = y , stop and report success; if not, go to Step 1. 
Step .3 : Report failure and stop. 

Basic Algorithm 

This algorithm uses three input parameters, viz two slices, y and 

u>, and a set of chains, X. It seeks a feasible slice y that is ac- 

P 

cessible from 'J and that satisfies -y P '-J. (Since, presumably wRy, 

this implies that y Pa.) The set X„ . is an internal variable 
^ 'p BA 

Step 0: Set X = (x,, X 2 , ••• x) • Go to Step 1 if y is feasible; 
if not, terminate and report failure. 

Step 1: Pick a chain from X , preferably one that is in X — call it 

X.. Attempt to construct a uni-chain macro-move down X- that 
fits y feasibly and is as large as possible — however, 
terminate the macro-move at the first point where the slice, 
Y*, resulting from the macro-move satisfies 



d(y' "x.) < d(p nx.) for all slices p lyin^ 

between y and y' 
(inclusive) 



and d(S.(Y') r Xi ) ^ J(Y' ^ X± ) 



(i.e. a local minimum is reached on X-) 



If the attempt is successful then go to Step 2. If the attempt 
is unsuccessful, go to Step 5. 
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Step 2: If X is empty, then go to Step 7. If X is not empty, then 

go to Step 3 if x. is not in X and to Step 4 if X- is 

in X. 
Step 3 : Set y equal to y' and go to Step 0. 
Step 4: If 

d(Y' DX-) ^ d(? nx.) for all slices § lying be- 
tween w and y' (inclusive) 

then delete X- from X and go to Step 2. Otherwise go to 
Step 3. 

Step 5 : Delete x. from X n .. If X,,. is now empty, go to Step 6; 
X iSA. HA. 

if not go to Step 1. 
Step 6: Perform the Crutch Algorithm with ^>, X and y as values for 

c c ~f* 

the input parameters, w , X , and y , respectively. If BA ter- 
minates with success, set y' equal to y , the value returned, and 
go to Step 7. If BA fails, terminate and report failure. 
Step 7: Set y equal to y'> terminate and report success. 

Crutch Algorithm 

This algorithm extends the sequence of slices to a slice which 

passes through a crutch relative to the input parameter y . It uses an 

internal variable X . which is initialised to (x, , Xo» ••• X } at 

ga 1 z m 

entry. It uses the input parameters to and X for calls to BA. 

Step 0: Pick a chain from X — call it X-- Go to Step 1. 

GA J 
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Step 1: Attempt to construct a uni-chain macro-move down X- that 

fits y feasibly and that is as large as possible — however, 
terminate the macro-move at the first point where the slice, 
Y , produced by the macro-move satisfies: 

(i) d( Y " n X-) + d(Y + n X.) or 3a. d(a .)> d(y" U x) where 

+ * 

y u x- < o!. < y n x. 

1 1 3 3 

i.e., either y* contains a crutch or a hump CL . was crossed. 

and (ii) d( Y * El Xj ) ? d(S j ( Y *) H Xj ) 

If the attempt succeeds, go to Step 2; if not, go to Step 3. 

c 

Step 2: Add X- to X and call for the performance of BA with the input 

it C C 

parameters y » x and w as values for the input parameters 
Y, X and (J. If BA terminates successfully, then set y equal 
to the value, y > returned by BA and go to Step 5. If BA 
terminates unsuccessfully (then the macro-move y ~* Y ^s not 
acceptable and so), set y equal to y an d go to Step 1 

(rather than to Step as a larger uni-chain macro-move down 

+ * 
X. than Y "* Y ma y be acceptable). 

Step 3: Delete X- from X .. If X . is now empty, go to Step 4; 

J UA L*A 

if not, go to Step 0. 

Step 4: Terminate and report failure. 

Step 5: Terminate and report success. 
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§3.9 Adequacy of ASA 

Theorem 3.2, which follows, shows that the Augmented Safeness 
Algorithm is sufficiently potent to handle all vector demand graphs. 

THEOREM 3.2 The Augmented Safeness Algorithm applied to a 
slice of a vector demand graph terminates successfully if 
and only if the slice is safe. 

PROOF : The "only if" result follows from the fact that ASA 
terminates successfully only if the terminal slice of the graph is 
reached and from the fact that every slice in the sequence constructed 
is feasible. 

It remains to be shown that ASA never reports failure erroneously, 
i.e. when the slice being tested is safe. 

Suppose ASA failed even though the slice under test is safe. 

Let D be the demand graph and o~ the slice under test. Now fail- 
ure of ASA implies failure of BA, which implies failure of GA. Let y 
represent the last value of y returned by BA. Then y is the last 
slice possessing the prefix property with respect to o~ that was found 
by ASA. At y , all attempts by BA to use the test of Theorem 3.1 failed 
and BA asked for the performance of CA, which reported failure. That 
CA reported failure when applied at y implies that all attempts to use 
crutches failed sooner or later. 
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In terms of the tree of Figure 3.8b, the (sub-) tree rooted at 
Y contains asterisked, triangular and plain nodes only. The leaves 
of the tree are plain nodes and these slices have the property that 
there are no accessible crutches below them, i.e. there are m barriers 
B. (on the m chains) relative to each such slice 6. The arcs between 
6 n*. and B° all have demands strictly greater than that on 6 U \. . 

e 

Let B., for all m values of i, be the lowest of the barriers B., i.e. 
r x i 

B. > B. for all slices of the form 6 
i l 

Since a is safe and since y possesses the prefix property 
with respect to a, y is safe. Thus there exists a connected sequence, 
S, of feasible slices from Y t to y t - Let a 1 be the first slice in 
X to pass through one of the B.'s. Say <j ' passes through B, . Then 

7 t n Xj < o ' n Xj < P j j e [i, m] j^k 



Y t nx k <CT ' nx k = p k k e [lj m] 



It will now be shown that the connected sequence of feasible 
slices y ... ct' can be transformed into one that can be produced by 
ASA. Since ASA was unable to produce it, a contradiction will result. 
This will imply that a sequence such as L cannot exist. 

Let the macro-move y "* C 1 De broken up into uni-chain macro- 



moves 



, M-p u 2 , ... u , so that 
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Y t n x n 2 ... \i q = a' 



Consider an intermediate slice, y' , in the sequence y -» a ' 
that terminates a uni-chain macro-move, and say 



y' = Y fc u x n 2 •• • M-^ 



Let y" represent the slice y u, u ? ... u f , and say u,, .. is a macro- 
move on x r 

Then two cases can arise: 



Case 1 d( Y " nx £ ) ^ d(Y' n XjC ) 
In this case u f - consists in moving to a relative crutch, i.e. 
a crutch relative to y'- (It should be noted that an arc a which 

Xj 

satisfies : 

d(c^) ^ d( Y ' n Xje ) 



is also a crutch with respect to y.) l n this case, u f .. is to be left 
unchanged . 

Case 2 d( Y " U Xj j) > d( Y ' U Xji ) 

In this case y" ^ X„ is not a relative crutch. Here two 

Xj 



sub-cases arise: 



Case A There is an arc <y , on v. between y" 
and y"> that satisfies 

d(^) 4 d( Y " H X £ ) 
i.e. a hump was crossed. 
In this case M-f ,i is left unchanged. 
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Case B There is no arc on x.j between y' an d y"> 

Xj 

that satisfies 

d(c^) 4 d( Y " n Xje ) 

In this case the arc y" U \. has the greatest demand 
of all arcs on % between y 1 and y" (inclusive). Two 
further cases can arise. 

Case Bl There is an arc a \ on x,, be- 
tween y' and y" an d as close 
to y" as possible, that satisfies 

d(a]) ? d(y' U Xjt ) 

and diS^ap i d(a]) 

In this case, n-r.-i is shortened to stop at a 

slice passing through a 1 .. Let the remaining part of 

Jo 

u f , be labelled nJ,,,. 

Case B2 There is no such arc o?l. 
In this case u,. .. is shortened to X, the null 
move. Let the remaining part (i.e. u f , ) be labelled 

M f+r 

In either of the two cases Bl and B2 above, no point is 
served in carrying out |_i' . immediately after n f -,, and |j* 
can be consolidated with any later uni-chain macro-move, u, , 
down x . For the macro-move u f , ? ... u, still fits 
Yj.^^ ... n f+1 feasibly, as the demand on (pt^/y" U xJy" 
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is no greater than that on y". (If there is no later move 

down x* and 4 ^ k > then M-i , i can be dropped, while if 

I = k then f ' , can be carried out towards the end of the 
r+i. 

sequence y -» cr ' , i.e. after u .) 

To summarise Cases 1 and 2, either u f ^ consists in moving to 
a relative crutch or in crossing a hump, or M- f+ i can ^ e shortened to 
consist in moving to a relative crutch. (The shortening may reduce H f+ i 
to a null move X.) In any case, M-^.i is or can be made a move of the 
kind that the Augmented Safeness Algorithm produces. 

Let the uni-chain macro-moves when consolidated and transformed 
be labelled by u's with asterisks, so that l-i f+1 , f°r instance, becomes 

u_ ., . Then it is clear from the discussion above that the slice re- 

* * * 
suiting from the application of any macro-move, u,u 2 ... M- f , to Y fc 

has a demand no greater than the demand of a slice resulting from the 
application of the corresponding macro-move u,^ ••• M-f> to Y fc . Thus 
the macro-move M- f+1 M- f+2 • • • V- (ignoring moves already made) fits 

----- u fol- 



• • i 



Y.l-Ul-U ... M. f feasibly and, therefore, so too does M-f + ^M-f + 2 

■k 

lowed by |j' \xl . . . u ' (ignoring those included in a u due to consol- 
idation). 

One thus gets a sequence of uni-chain moves, of the kind ASA that 
generates, which leads from y to cr 1 by means of feasible slices 
alone . 

But this is absurd, since p, is the lowest of the barriers 
discovered on Xi, by ASA! 
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Thus the sequence E cannot exist and y must be unsafe. As 

Y possesses the prefix property with respect to a, this implies that 
a is unsafe. Thus, the "if" part of the result in the theorem has been 
proved. 

Q.E.D. 
The reader who is still skeptical about the necessity for the 
complicated interactions and backtracking in the Augmented Safeness 
Algorithm, should remember that the algorithm is expected to handle all 
cases and, in particular, the case illustrated in Figure 3.9. In that 
figure it will be seen that if a choice of crutches is made so that one 
reaches y , then two conditionally acceptable slices y' and y" can 
be found (which possess the prefix property with respect to y ) before 
it is realized that there is no way in which y can be reached from 
y". It is necessary then, to backtrack to y and (perhaps with some 
further fumbling) move to y instead of y . The sequence of slices 

Y -.. Y ••• Y 1 illustrates that y can be reached from y by way 

of y • 
o 

Careful observation of the Augmented Safeness Algorithm, and the 
Crutch Algorithm in particular, shows that in the worst case it tries 
out all possible crutch combinations in an enumerative manner. It is 
interesting that this is not a fault of the way the algorithm works. 
This is stated more precisely in Theorem 3.3 below. A few definitions 
and a lemma lay the groundwork for Theorem 3.3 and these follow. 
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§3.10 Characterization of Safeness Algorithms 

By algorithm is meant an algorithmic test for the safeness of 
an arbitrary slice of an arbitrary demand graph that attempts to con- 
struct a connected sequence of feasible slices from the test slice to 
the terminal slice of the demand graph. 

A local algorithm is one which, at any point in the construction 
of a connected sequence, has the partial sequence of slices constructed 
up to that point as the only information about the demand graph on which 
to base its decision regarding what move to try next. Thus, a local 
algorithm does not know about the entire remaining portion of the demand 
graph and, therefore, cannot make only the correct move (in the defined 
technical sense) every time. Similarly, a local algorithm does not have 
recall abilities in respect of futile past moves other than to recall 
that they were futile. Thus, it cannot sweep down the chains one at a 
time and thereby gain (and store) knowledge of the whole or part of the 
remaining portion of the demand graph. (Were one to assume such an 
ability, then it is clear that an arbitrarily large memory would be 
required to store the information, as the chains can be of arbitrary 
length. Since any realistic memory has finite capacity, such an assump- 
tion is clearly unrealistic.) It can be seen, easily, that both the 
Modified and Augmented Safeness Algorithm are local. If the order 
X-i j X 2 > ' " \n ■*- s usec * whenever chains are to be picked, then this ob- 
viates the need for recording futile use of chains. The use of the set 
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X of preferred chains is not crucial to the working of ASA — it 
merely makes ASA more efficient. 

A local algorithm is said to be a limited-backtracking algorithm , 
if one can generally partition the sequence of slices it produces into 
two or more sub-sequences, the initial and terminal slices of which 
possess the prefix property with respect to the slice whose safeness is 
being investigated. The Safeness Algorithm of Chapter 2 and the Aug- 
mented Safeness Algorithm are limited backtracking algorithms. An 
equivalent definition of a limited backtracking algorithm is one that 
states that the sequence of moves constructed can be broken up into 
macro-moves such that each such macro-move is applied to and produces 
a slice possessing the desired prefix property. Let these macro-moves 
be called correct macro-moves. A limited backtracking algorithm is said 
to be linear if the number of macro-moves examined, before the correct 
macro-move to apply at an intermediate point, characterized by the slice 
Y, is found (or it is discovered that none exists), is always less than 

A.f(n. , n„, n_, ... n ) 

where: A is some constant, f(n,, n OJ ... n ) is linear in the n., 

' 1' 2' m i' 

m 

i.e. of the form Z a. n. (where the a . are integer constants), and 

i=l 
n. is the number of relevant arcs on chain x.* below y. If the function 

f increases with the n. faster than any linear bound does, then the al- 
gorithm is said to be of higher order or non- linear . 
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In the case of the Safeness Algorithm of Chapter 2, the number of 
macro-moves examined at a time is at most m, i.e. A=m and 
f(n,, n , ... n ) = 1, and the algorithm is thus linear. An example of 
an algorithm of higher order is the Augmented Safeness Algorithm. (This 
statement is clarified in the theorem below.) In the case of the Aug- 
mented Safeness Algorithm, the relevant arcs are crutches with respect 

to Yj so that n. is the number of such crutches on y . 
i i 

The lemma which follows is essential to the proof of Theorem 3.3. 



LEMMA 3.4 Let D be the demand graph defined by Figure 3.10. 

The arcs marked p' p' ... B' are m barriers on the m 

12 m 

chains. The arcs marked l.u.b. are arcs whose demands are 
the least upper bounds of the demands on the two arcs on 

either side of these arcs. The arcs marked a. are crutches. 

i 

Let y' be a feasible slice that is accessible from v 
P r 

and is distinct from y. If y' lies above the barrier slice 

P 

pjp' ... p', then y' cannot possess the prefix property with 
respect to y. 



PROOF : Since y' is accessible from y, the macro-move y -» v' 
'p r ' r r p 

fits y feasibly. Let this macro-move be broken up into uni-chain 

macro-moves so that y -> y' = ^ >j.„ . . . i± . 

'p H. 2 ^q 

Let [i be a macro-move down chain v „ , and let YM-i M-o ... U ■, 
be referred to as y _... Then there are two cases: 
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Capacity = (C,,C _, C ) 



M-. = [ C. - (m-l)p . ] + k ; n. > ; C. :> k. p . + (m-k) . ( p +1) 
H h = [ C h - (m-l)p h ] - k ; u h a ; (^ £ (m-k).p h + k.(p h +l) 

Of the arcs a. : 

i 

(i) Exactly k have the demand (p-^ jp 2 > • -p^+1 > • -p -"^ > • -p n ) 
(ii) The rest have the demand (p, ,p„, • .p, -1> • .p .+1 » • -p ) 

The critical resource is the j ; the h component is specified so as 

to ensure that each a. is a crutch relative to y but d(a.) d d(y n xp ' 

Figure 3.10 
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Case 1 d( Y ^ U % J * d(y H X^) 

In this case v i meets all the conditions of Lemma 3.1 and, 
"q-l 

therefore, y' cannot possess the prefix property with respect to y. 
Case 2 d( Y ^ □ X^) * d (y q _ ± U XjJ ) 

In this case v i Dv, must be one of the arcs marked "l.u.b.". 
q-l £ 

Thus y _i Hx. must have a greater demand than the arc, o/', preceding 
it, viz an o? or the arc y Ux - 

Let u_ be the previous move down v . Then YM-i ••• l-'-f.i ^X« 
must lie above a' or be a 1 . 

If YM-i ••• kp_i ^X„ i s <*' then the move |x- can be de- 
leted at this point. Since m.,, ... u n will fit 

^f+1 q-l 

YM-j_ ••• u f-1 feasibly. Let Y^u 2 ••• ^ f _]_l^ f+1 ••• l-L_l be 

Y . Then y' is accessible from y since the move u. 1 , 
o 'p 'o q' 

which is a- consolidated with u. , fits y and leads to y'» 
T ^q» 'o 'p 

Thus y meets all the conditions of Lemma 3.1 and, therefore, 
o ' 

Y* cannot possess the prefix property with respect to y. 
If YM-i M- 2 ••• ^f-l'-'x* lies above a', then u can be shortened 
so that YM-i M-o ••• M- f includes a'. Once again YM-i M-o ••• M- _i 
meets all the conditions of Lemma 3.1 and, therefore, y 1 can- 
not possess the prefix property. 

Q.E.D. 
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The values of demand have been chosen so that there is exactly 
one set of k crutches which must be used to cross any barrier at all. 
Non-obstructive arcs are arcs whose demand vectors are such that any 
feasible slice that includes & arcs that are crutches, for any 
I £ m - 1, (and shares the remaining arcs with y) is accessible 
from y. The arcs marked l.u.b. are non- obstructive arcs. For 
if y q is a slice going through i crutches, then (y U\.fa.)y , 
where a. is a crutch, is feasible and so is y . That any 
feasible slice that uses i crutches in addition to arcs from 
Y is accessible from y will be used below. 

Since a local algorithm has no way of knowing which combination 
of crutches is correct other than by trial and error, as many as 
z ~ 1 trials can be wasted, where Z is the number of possible crutch 
combinations of from 1 to m - 1 crutches (one from each chain) at a 
time that correspond to slices accessible from y. Here n. = 1, 
for all values of i, and since all slices using I crutches are ac- 
cessible^ = 2 

The non-linearity of a local limited-backtracking algorithm 
is thus obvious . 



Q.E.D. 
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To further simplify understanding of the example, Figure 3.11 
shows a special case of Figure 3.10. 

The construction of Figure 3.10 is quite general, in that k can 

be an arbitrary integer between 1 and m-1 and can be chosen suitably. 

Now suppose a limited back- tracking algorithm is given. Since 

it is local, it must examine the combinations of the crutches in some 

order, and for each combination of r crutches it tries out some moves. 

However, since there is only one combination that works, all other 

trials are wasted. The number of trials wasted can be made non-linear 

by choosing a value of k appropriate to the algorithm. (It should be 

noted that the choice of values for C. and C, ensures that all slices 

J h 

which use from 1 to m-1 crutches are feasible and accessible from y.) 
For example, consider an algorithm that uses the crutches 1 

at a time, 3 at a time, etc. up to m-1 or m-2 (whichever is odd) at a 

time and then 2, 4, 6 ... at a time. 

Pick k = 2. Then the number of wasted trials 

m* 
= / (no. of combinations - r crutches at a time) where m' = m-1 or 

T m ~ ^ 

(r odd) 

^ c -I rr. c 1 3 5 7 n-1 
= the sum of the coefficients ofx,x,x,x ...x 

in (1 +x) (1 + x) ( ) ( ) ... (1 + x) 

The right hand side is 2 , which is non-linear in m. 
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The 'correct' combination of crutches 
is a 1 and a . 



Figure 3.11 
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Comment 1 : The proof technique above is really quite conservative for 
Figure 3.9 shows that merely being able to cross the barrier is not a 
guarantee of being able to reach a slice that possesses the prefix 
property (without further backtracking). 

Comment 2 : It is clear that if no combination of crutches (from 1 to 
m-1 of them) permits crossing of any barrier, then y (and hence a) is 
unsafe. 

The theorem above indicates that the Augmented Safeness Algorithm 
is in a sense optimal. As long as the Basic Algorithm succeeds the num- 
ber of sequences examined in vain is at most m-1 and consequently the 
algorithm is linear. When it fails, it is necessary for the Crutch 
Algorithm to try crutches in a trial and error fashion to get past the 
barriers discovered earlier by the Basic Algorithm. It then tries to 
reach a slice possessing the prefix property (by use of the Basic Algo- 
rithm); the Basic Algorithm can then be used again. 

The rest of this chapter deals with special cases of the recti- 
linear vector demand graphs discussed so far. 

§3. 11 Locked Data Bases and Semaphores 

One of the resources that can be shared in an unpreemptible manner 
in computer systems is a set of data bases that have locks on them; only 
one user or process at a time can use such a data base. Tables of 
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miscellaneous varieties in the operating system software are typical en- 
tities of this kind. 

The lock is exactly analogous to Dijkstra's semaphores [10], A 
process examines the lock to see if it is set; if it is not set (the corre- 
sponding semaphore has value 1) then it is set (the semaphore is 
decremented by l). The lock stays set until the process using the data 
base relinquishes control — at this time the lock is reset again. Of 
course, semaphores are more general than locks, in that they can be used 
for coordination of activities in general. However, whether processes 
use semaphores or locked data bases, deadlocks can occur. The corre- 
sponding demand graphs have demand components which are always either 
or 1 and C is (1, 1, ... 1). The techniques described in this chapter 
can be used to examine the consistency of use of semaphores (or locked 
data bases) by a set of users or processes in such a system. 

§3.12 Job Shop Scheduling 

A problem of considerable interest in the field of operations re- 
search is that of scheduling a set of manufacturing jobs in a workshop. 
Say the workshop processes raw stock of some kind in several steps to 
produce useful items. There could be variations in processing for dif- 
ferent raw stocks and different items. In any case, one can draw up a 
job chart, which describes which processes have to be performed and in 
what order. The jobs are then to be scheduled on the different machines 
that do the processing. 



-98- 

One can represent the jobs by a demand graph of the kind shown 
in Figure 3.12. Each arc has a demand consisting of zero's and one's 
corresponding to the machines it does not and does need, respectively, 
in that phase. The General n/m Job-Shop Problem [11] deals with n jobs 
and m distinct machines — in this case the demand graph has n chains 
and each demand vector has m components (the interchanged notation is 
confusing and regrettable). C is (1, 1, 1, ... 1), indicating that there 
are m distinct machines. Thus the Job Shop can be represented by a re- 
stricted class of demand graphs. 

However, it is important to note that each arc of the demand 
graph of Figure 3.12 that has a non-zero associated demand is followed 
by an arc with a zero associated demand. This is true for all Job Shop 
problems, as the operations are performed one at a time and jobs can lie 
between two machines — having been processed by one (freeing that ma- 
chine for other work) and awaiting processing by the other. But this 
feature automatically ensures that any slice of the demand graph that 
is feasible is also safe! Thus deadlocks and examination of safeness 
are not important issues in Job Shops. Rather, it is the minimization 
of processing time (average or maximum) for a set of jobs that is an 
interesting problem — particularly, as the time required for each op- 
eration is quite predictable. 
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§4. 1 Arboraceous Demand Graphs 

In this chapter the constraints on components of demand graphs 
are relaxed somewhat. The components will look like trees but with 
more than arc incident on some nodes. Since the word tree has been 
used to describe what others call arborescences, both terms will be 
avoided. Instead the term arbour will be used. An arbour is a finite 
directed graph that is circuit free, i.e., that has no directed cycles. 
An arbour always has at least one node with indegree zero and one with 
outdegree zero. An arboraceous demand graph is a demand graph whose 
components are arbours and whose arcs are labelled with demands chosen 
from the set of n- tuples of integers. The capacity associated with the 
graph is also such an n-tuple. No distinction will be made between 
vector and scalar demands on arboraceous demand graphs, except where 
exceptional properties appear in graphs with scalar demands. Initial 
and terminal arcs are respectively out-going arcs of transitions with 
zero indegree and in-coming arcs of transitions with zero outdegree. 
Initial and terminal arcs have zero demand. Transistions with indegree 
one and outdegree greater than one are called forks after Conway [14]. 
Transitions with indegree greater than one are known as points of syn - 
chronisation or points of interaction . Every point of synchronisation 
must have at least one outgoing arc. 



See [12] for instance 
JL 
See [13] for instance 
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In terms of systems of processes sharing resources, arboraceous 
demand graphs represent systems in which processes are not necessarily 
either sequential or independent. Such systems, with parallel or inter- 
acting processes or processes that are both, are not uncommon. In terms 
of the construction analogue of Chapter 1, contractors may undertake 
more than one project at a time, with the projects sharing initial or 
final phases of activity but being independent otherwise. Alternatively, 
some projects may be too large for one contractor and may be undertaken 
by several contractors with division of the work into independent se- 
quences of tasks with some interaction between contractors. In com- 
puter systems such as MULTICS [15] processes can produce other processes 
and interact with each other by means of the "block" and "wake-up" 
primitives. The interaction that has been mentioned so far is explicit 
interaction, that is interaction other than through the sharing of 
limited resources. There is one kind of interaction, however, that is 
modelled like explicit interaction even though it is occasioned by re- 
source sharing. This is mechanism for acquisition of write access 
capability in systems which guarantee determinacy of computations — 
such as those of Van Horn [16], the implementation in MULTICS of which 
is discussed by the author in [17]. In Van Horn's systems, a clerk 
(process) which possesses read-access capability for a shared data 
object acquires write access capability for it when every other clerk 
has relinquished its read access capability. This behaviour cannot be 
modelled merely by treating such a data object as one kind of resource. 
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Rather, the dependency of the first process on the others has to be 
modelled explicitly, as in Figure 4.1 where the process represented 
by the chain that begins with a 2 is the one that waits to acquire 
write access capability before proceeding with the phase represented 
by o^. 

When arboraceous demand graphs represent systems of users, the 
users are not in one to one correspondence with the components of the 
demand graph; for two or more interacting users appear as one com- 
ponent. Rather, the only construct in the demand graph that indicates 
the number of users in the system represented is the number of initial 
arcs. If every user's processes merge or join [14] before his activity 
terminates, then the number of terminal arcs in the demand graph rep- 
resenting the system also indicates how many users the system has. 

§4.2 Slices and Related Concepts 

A sliver in an arboraceous demand graph is a cut-set of a com- 
ponent of the demand graph. A slice of an arboraceous demand graph is 
a set of slivers, one from each component-graph. Slices are denoted by 
lower case Greek letters other than a and p — usually y- ^ e pendant 
sub-graph of an arc consists of the arc and the arbour from its 
terminal transition, t, i.e., the maximal arbour, with t as the only 
transition with zero indegree, that is a sub-graph of the graph. The 
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pendant sub-graphs of the arcs in a slice of an arboraceous demand graph 
are termed the chain-graphs defined by the slice. Clearly, the chain- 
graphs defined by a slice are not necessarily disjoint. In rectilinear 
demand graphs chain-graphs are chains and this is what suggests the 
terminology for arboraceous demand graphs. Chain graphs are repre- 
sented by x- 

As in Chapter 2, since a slice of an arboraceous demand graph 
partitions the transitions of the graph, one can speak of the predecessor 
set and successor set of a slice. The relations "earlier than or the 
same as" and "later than or the same as" for slices are represented by 
"£ " and "^ " f respectively, and are defined exactly as in Chapter 2. 

The initial slice, y t > and terminal slice, y t » °f a demand graph 
are defined as in Chapter 2. 

A frustum of a demand graph is the part of the graph that lies 
between two slices, one of which is earlier than the other. The frustum 
defined by slices y-i and y„ of a demand graph D, where y-i < y„, is 
denoted by F(D, y- , Yo)» A frustulum is a component of a frustum. The 
frustula of F(D, Yi, y„) are denoted by f.(D, Yi , Y 2 )» for the J 
frustulum, or simply f . when the frustum referred to is clear from the 
context. By analogy to entire demand graphs, cut-sets of frustula are 
also termed slivers — the components of the demand graph are the 
frustula of F(D, y t > Y^)- l n rectilinear demand graphs, frustula are 
chains. Figure 4.2a shows a frustum of a demand graph and Figure 4.2b 
shows the frustula of the frustum. As indicated in Figure 4.2 
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transitions immediately following the slice y„ and immediately pre- 
ceding the slice Y-, are P art of the frustum F(D, y^ y^), but forks 
preceding y are split up into as many nodes as there are outgoing 
arcs and points of interaction are split up into as many nodes as 
there are incoming arcs. As a consequence, in Figure 4.2b, the sub- 
graphs marked f and f or those marked f and f are distinct frustula. 

The concepts of immediate-successor slices, moves, macro-moves, 
uni-chain macro-moves, connected sequences of slices, runs, feasibility 
and safeness of slices, etc., carry over directly from Sections 2.6 and 
2.9. 

The slices of an arboraceous demand graph representing a system 
correspond, as before, to the states of the system. The number of 
chain-graphs defined by the current slice corresponds to the number of 
processes in the system in the current state. As before, a state is also 
called an allocation state and feasible slices represent meaningful al- 
location states. Safe slices represent states from which the processes 
can be scheduled so as to run to completion without deadlock. In gen- 
eral, the interpretations of Chapter 2 carry over. However, the term 
"user" is now not necessarily synonymous with the term "process" since a 
user's activity may involve several processes, even though it involves 
only a single process initially. 
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then the graph of Figure 4.4a can be transformed into that of Figure 
4.4b which does not exhibit inherent deadlock. There are instances, 
however, when such a transformation does violence to the representation. 
For the processes may deliberately be withholding resources from other 
processes until certain conditions are satisfied by the latter processes, 
satisfaction of the conditions being signalled by the processes reaching 
the point of interaction. Consequently, although it is tempting to pre- 
scribe a transformation of arboraceous demand graphs so as to duplicate 
the arcs preceding and following a point of synchronisation and replace 
the demand on the one near the point by the g.l.b. of the demands on the 
arcs on either side of the point, no transformation will be prescribed. 
However, the spirit of the transformation should be borne in mind in 
the specification of a demand graph for a system of processes. 

§4.5 The Prefix Property 

As with rectilinear demand graphs, it is desirable to have 
limited-backtracking algorithms for determination of the safeness or 
unsafeness of a slice. This requires extension of the prefix property 
to arboraceous demand graphs. 

The set of extensions E n (Y) of an arboraceous demand graph is 
the set of arboraceous demand graphs that are identical to D until y» 
and that have the same capacity as D. An element of E n (v) is an ex- 
tension of D with respect to y. If D 1 is such an extension, then 
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F(D', y* Y> = F(D, Y T , Y), where yj is the initial slice of D 1 . 

The definition of the prefix property is identical to that in 
Chapter 3. 

§4.6 Necessary and Sufficient Conditions for the Prefix Property 

It should be clear from the discussion thus far that arboraceous 
demand graphs can be analyzed like rectilinear demand graphs as far as 
necessary and sufficient conditions for the prefix property are con- 
cerned. For the frustula of F(D, y t > Y) correspond to the chains 
intersecting y in a rectilinear demand graph, the demand on a sliver 
of a frustulum corresponds to the demand on an arc of a chain in a recti- 
linear graph, and so on. 

Thus, the results in Lemmas 3.1 to 3.3 and Theorem 3.1 can be 
translated directly for arboraceous demand graphs. They are stated be- 
low as Lemmas 4.1 to 4.3 and Theorem 4.1, respectively. The proofs are 
similar to those in Chapter 3 and only the variations will be ex- 
plained. In general, the proofs of Chapter 3 apply with substitution 
of "frustulum" for "chain" when the reference in Chapter 3 is to the 
part of a chain above a slice, and "chain-graph" for "chain" when the 
part referred to lies below a slice, of "sliver" for "arc", "move down 
a chain-graph" for "move down a chain", etc., where appropriate. The 

notation "y H f." stands for the sliver in which y intersects the 

x 

frustulum f. of some frustum, and d(y H f.) for the demand on that 
sliver. 
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LEMMA 4 . 1 Let D be an arboraceous demand graph and let y 
be a feasible slice of D that intersects at least one 
frustulum of F(D, ct, y) i- n a sliver with non-zero demand, 
where a is a feasible slice of D that is earlier than y 
and from which y is accessible. Let D be the exten- 
sion of D with respect to y defined by Figure 4.5, and 
6. be any slice of D that is of the form F.. , which is de- 
fined below. Then the slice y possesses the prefix 
property with respect to <r only if whenever the slice 
6^ is accessible from cr, the slice y is not accessible 
from 6 , . 

Form F.. A slice, 5- , of this form satisfies the 

following conditions: 

(i) a < 6 1 < y 

(ii) 6.. and y share at least one arc that has a 

non-zero demand 
(iii) d( Y ) t d(6 1 ) 

COMMENT It will be recalled that the proof of Lemma 3.1 in- 
volves constructing an extension in which a is safe but Y is not. 
This is done by following y U%., where X- is the chain on which y 
and &i share an arc, by an arc a', whose demand is just small enough 
for (Q' , /6 1 nx^S-L to be feasible. The arcs on x k ( k £ J) following -y 
have demands in D* which are such that uni-chain macro-moves down the 
X k 's fit (a T /Y nx,)Y feasibly for some ordering of the k's, where 
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a? T is the terminal arc of x. in D 1 . Thus y' the terminal slice of D* 
is accessible from 6.. but not y. 

In the case of arboraceous demand graphs D 1 is similary con- 
structed with chain-graph read for chain. Accessible slivers of 
frustula play the same role as arcs that are not barriers in rectilinear 
graphs . 

LEMMA 4.2 Let D be an arboraceous demand graph and let y be 

a feasible slice of D that intersects at least one frustulum 

of F(D, a, y) in a sliver with non-zero demand, where a is 

a feasible slice of D that is earlier than y and from which 

•k 

y is accessible. Let D be the extension of D with respect 
to y defined by Figure 4.5 and 6„ be any slice of D of 
the form F«, which is defined below. Then the slice y pos- 
sesses the prefix property with respect to u only if every 
6 2 is inaccessible from a. 

Form F A slice, 6_, of this form satisfies the 

following conditions: 

(i) a < 6 2 < y 

(ii) 6 2 and y share at least one arc that has 

a non-zero demand 

(iii) d( Y ) 4 d(6 2 ) 

(iv) d(6 2 n f ± ) £ d(p n f.) for all slices, p, 

which lie between a 
and 6 £ (inclusive) 
and for all frustula f. 
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COMMENT In the case of Lemma 3.2 use is made of Lemma 3.1 
and condition (iv) in F„ is shown to imply that y must be accessible 
from 6 . The accessibility of y from 6„ is shown by modifying the 
moves from a to y that fit y feasibly to fit 6„. 

In the case of arboraceous demand graphs too the moves can be 
modified to fit 6„. As in the proof of Lemma 3,1, one can consider 
moves (j- and |a^ so that the slice resulting from the application 
of u is the first one in the sequene of feasible slices from a to 
cross 6 etc. 



LEMMA 4.3 Let D be an arboraceous demand graph and y be a 

slice of D that intersects at least one frustulum of 

F(D, a, y) i n a sliver with non-zero demands, where <j is 

a feasible slice of D that is earlier than y and from 

* 
which Y is accessible. Let D be the extension of D with 

respect to y defined by Figure 4.5 and 6„ be any slice 

of D that is of the form F_, which is defined below. Then 



Y possesses the prefix property with respect to a if 

I'm J 



whenever 6., is accessible from a, y t s the terminal slice 



of D , is not accessible from 6_. 



Form F„ A slice, 6_, of this form satisfies the 
following conditions : 
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(i) a < 6 3 

(ii) Either 6„ and y share at least one arc 
that has non-zero demand or 6_ includes 
at least one terminal arc of D . 

(iii) d(v-) ^ d(6 ) where Yo I s tne slice ob- 
tained by replacing arcs in y by terminal 
arcs of D , on all those chain-graphs of D 
defined by y that 6 intersects in 
terminal arcs. 

COMMENT It will be recalled that the proof of Lemma 3.3 is 
similar to that of Lemma 3.1, in that it involves modifying a sequence 
of moves from a to Ym> the terminal slice of an extension D* in which 
0" is safe, to fit y feasibly. Exactly the same technique is applicable 
to arboraceous demand graphs. 



THEOREM 4 . 1 Let D be a vector demand graph and let y be a 
feasible slice of D that intersects at least one frustulum of 
F(D, cr, y) i n a sliver with non-zero demand, where o~ is a 
feasible slice of D that is earlier than y an ^ from which 
Y is accessible. Then y possesses the prefix property with 
respect to a if 

d(Y H f.) ^ d(p n f.) for all slices, p, that lie 

between cr and y (inclu- 
sive) and for all fr us tula, 

f.. 

i 
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for such graphs cannot be linear. To prove this would merely require 
translation of Lemma 3.4 and Theorem 3.3. In fact, even translation 
is unnecessary as rectilinear demand graphs are special cases of 
arboraceous demand graphs. 

However, even with scalar demands arboraceous demand graphs can 
have only non-linear limited-backtracking algorithms. This is proved 
in Theorem 4.2 below. The term "crutch" and "barrier" may be applied 
to slivers in addition to arcs in the rest of this chapter (although 
"barriers " are usually arcs), as the slivers of interest consist of 
single arcs in those instances. 

THEOREM 4.2 There does not exist a linear limited-backtracking 
algorithm for arboraceous demand graphs even when the demands 
and capacity are chosen from the set of integers. 

PROOF : Consider the demand graph in Figure 4.7. Suppose one 
has constructed a partial connected sequence of feasible slices from 
a to y an d suppose y possesses the prefix property with respect to 

CT. 

Because of the choice of values for the demands associated with 
the a's and p's, each arc labelled a or p has a demand that is greater 
than the demand on the arc in y that lies on the same frustulum of 

it it 

F (D, Y» Y )• No slice, Y 1 , that lies strictly between y ancl Y can 
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possess the prefix property with respect to y. For the macro-move 
Y -> Y 1 can be broken up into exactly m uni-chain macro-moves 
l_u, m,„> ••• I- 1 because of the relations between demand values indicated 
in the previous sentence, and the slice YM-i is a slice that satisfies 
all the conditions of Form F. in Lemma 4.1. 

Thus the next slice that possesses the prefix property with re- 
spect to y lies below y • 

Careful observation of the figure shows that there is exactly 
one ordering of the chain-graphs Xi » X ? > • • • X^ defined by y f° r 
the uni-chain macro-moves making up the macro-move Y -* Y that fits 
Y. This order is Xt> X 2 > • • • X- in the figure but can be made 
aribtrary by permuting the values of demand on the a. 's and p.'s. 

As there is no way in which a local algorithm can determine the 
one order that is correct, other than by trial and error, the number of 
futile trials, consisting of uni-chain macro-moves, can be (conserva- 
tively speaking) as large as 

2 
(m-r)+(m-r)+...m-r times = (m - r) 

For each of the m - r uni-chain macro-moves, 

M-j = Y r _ 1 -+ (Cj/Yj..], n X,)Y r _ 1 for the values of j in [r, m], fit 
Y r _-jL> Of these all but one are incorrect. However, that the macro- 
move |i (j ^ r) is incorrect is not discovered until m - r futile uni- 
chain macro-moves (down x r , Xj. +1 » ••• X.p X j+1 i • • • X m > are tried 
from Y^u- 
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Thus as many as 



(m - l) 2 + (m - 2) 2 + ... + l 2 = \ (m - D(m)(2m - 1) 



trials can be wasted. 

The non-linearity of any limited-backtracking algorithm follows, 
since there is always a graph that has a "correct order" different from 
that used by the algorithm, and in fact a correct order that is as bad 
as the worst. 

Q.E.D. 

§4.9 On the Non-local Nature of Algorithms for Arboraceous Demand Graphs 

* 
Consider the frustulum shown in Figure 4.8. Two slivers s and s 

are shown there. Suppose a is a feasible slice which contains s and 
y is the feasible slice (s /s)ct. The slice y does not possess the 
prefix property with respect to a because the slice (s./s)o" is a 
slice of the form F. in Lemma 4.1. However, if a safeness algorithm 
were to use the macro-move a -* y shown by the sequence of dashed 
slivers in Figure 4.8, then (s./s)ct is not a slice that is part of the 
connected sequence a ... y. That a general limited backtracking al- 
gorithm needs information about slices that are not in the sequence of 
slices it constructs to determine whether a macro-move is acceptable or 
not, means that such an algorithm is not local in the defined sense. 
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It may be local in the broader sense that it uses only the initial part 
of the demand graph up to the slice reached. 

The problem is not restricted to demand graphs of which the 
frustulum in Figure 4.8 is a part. Rather, it is a consequence of two 
facts. The first fact is that there are more slices in a frustulum 
which is followed by a point of synchronisation than in a sequence of 
slices that is produced by a macro-move that crosses it. The other fact 
is that crutches such as those in S;L can lead to slivers of smaller 
demand in combination with other crutches. For instance, in Figure 4.8, 
the sliver s has a demand no greater than that of any of the dashed 
slivers encountered, andyet this is not so with respect to s Thus a 
translated version of the Modified Safeness Algorithm of Chapter 3 would 
have (erroneously) declared the macro-move a -> y acceptable! How- 
ever, this version of the Modified Safeness Algorithm would not be in 
error in this manner if the demands were scalar; for if 

a' ■£ a and b' i b 
then 

a' + b* i a' + b' 

which is not necessarily true for vectors, as the arcs a a\ and 
a 2 , a 2 show in Figure 4.8. The sliver s ± has a smaller demand than 
s does and also a smaller demand than (a^/a^s or (a'/a, )s do. 

Let y be a slice that uses the sliver s and v" a slice 

s 
that uses s\ Then the fact, that all the feasible slices that are 



-126- 






l> 1 


» 






/- 








/ 






/ ' < 








i 








1 






< 


1 
1 
1 






/ 4 








1 








1 








1 ( 








/ 




— J— 


g 


• 






pre 


t 
s ' 








post 






4 


( 






l 


1 





Y I' Y t 



Efflorescence of t 



Figure 4.9 



-127- 

accessible from y and that lie betweeen Y = and y need to be con- 
's SS> 

sidered if Theorem 4.1 is to be applied in an algorithmic test, is 
crucial to the understanding of the General Safeness Algorithm. This 
algorithm is presented in the next section. Fortunately, s need not 
be earlier than the last sliver that meets the test of Theorem 4.1, 
relative to the corresponding sliver in the test slice, on each of 
the chain-graphs that join at the point of synchronisation. 

§4.10 The General Safeness Algorithm 

The General Safeness Algorithm, or GSA for brevity, is an al- 
gorithmic test for testing the safeness of a slice of an arboraceous 
demand graph. It attempts to construct a connected sequence of feasible 
slices from the test slice to the terminal slice of the demand graph. 
Some new terminology is useful in the description of the GSA and is 
indicated below. 

The pre-synchronisation sliver , s£ re , of a poin t of synchronisa- 
tion , t, is the sliver that contains exactly those arcs which are the 
incoming arcs of t. Similarly, the post-synchronisat ion sliver, 

s t , of t is the sliver that contains exactly those arcs which are 
post 

the outgoing arcs of t. Figure 4.9 shows the pre-synchronisation 
sliver and post-synchronisation sliver of a point of synchronisation. 

The efflorescence £ (t) of a point of synchronisation , t, is the 
frustulum of F(D, y t » Y t ) that contains the arcs incident on t — where 
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FUNDAMENTAL ALGORITHM 



FA is similar to the Basic Algorithm of Chapter 3. The input 
parameters w and y are respectively the reference slice and the cur- 
rent conditionally acceptable slice. In case of successful termination, 
FA returns a slice, y , that possesses the prefix property with respect 
to (J. Nothing is returned in the event of failure. 

The set X^ A is in internal variable. The set S is an input 

parameter and a set of slices that are relevant to the application of 

the test in Theorem 4.1. S fc is a similar set except that it is of 

temporary interest and is an internal variable. X„. is an input 

FA 

parameter and is a set of chain graphs. 

Step 0: Set S fc equal to $, the empty set, and X* equal to X. 
Go to Step 1. 



FA - 



Step 1 
Step 2 
Step 3 



Add y to S . Go to Step 2. 

Pick a chain-graph from X^ - call it x. • Go to Step 3. 
Attempt to construct a uni-chain macro-move, (j, down x- 
that fits y and is as large as possible, but terminate the 
macro-move at the first point where the slice y 1 resulting 
from the application of n satisfies one of the conditions 
given below. In any case, add the slices resulting from the 
component moves of u to the set S . 

(i) d( Y ' Ox.) £ d(p H x t ) for all slices p that lie be- 
tween y and y' (inclusive) 
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Go to Step 4. 
(ii) y' is following by a fork, f, 

In this case perform the Fork Algorithm (FkA, for 
brevity) with y 1 , X pA and f as values for the input 
parameters y , X and f . 

If FkA terminates with failure, go to Step 5. 
If FkA terminates successfully, set y and X„. 

respectively equal to y and X_, the values returned, 

r r 

and go to Step 4 . 
(iii) y' is followed by a point of synchronisation, t. 

In this case, go to Step 5 after setting S to $. 
Step 4; If y' satisfies: 

d(y' n f ± ) <j d(p n f ) for all slices p in S 

and for all frustules, f., 
of F(D, <*>, y') 1 

then set y equal to y', terminate and report success. 

If y 1 does not satisfy the above condition then add 

S fc to S, set y equal to y 1 and both X' and X . equal to 

the set of chain-graphs defined by y', and go to Step 2. 

Ste P 5: Delete x^^ from X^. If X* is now empty then go to Step 6; 

if not, go to Step 1 . 

Step 6: Perform the Sync Algorithm (SA) with y, ^ y an d S as re- 

FA 

spective values for the input parameters, y oa , u oa j X and 

oA oA oA 
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S . If SA terminates successfully, set y' equal to 

* 

y , the value returned, and go to Step 4. If SA terminates 
with failure go to Step 7. 
Step ]_: Perform the Crutch Algorithm (CA) with y, w . X pA and S as 
respective values for the input parameters y^a* "ha* X CA 
and S .. If CA terminates successfully, set y equal to 

* 

y , the value returned, and go to Step 4. If CA. terminates 
with failure, terminate and report failure. 



SYNC ALGORITHM 



Input parameters to this algorithm are Yoa> w gA' ^SA an( * ^SA" 
The algorithm searches the chain-graphs in X„. one at a time until a 
point of synchronisation is reached. If it finds such a point, t, it 
seeks the aid of the Sync Crosser Algorithm (SCA) to extend the sequence 
from Y qA to a post-synchronisation slice of t and (recursively) asks 
for the performance of FA. The parameter <*> , is a slice. X' is an 
internal variable and is initialized to X q .. S . is a set of slices. 



Step 
Step 1 
Step 2 



Set X' equal to X q . and go to Step 1. 

Pick a chain from X' — call it \.. Go to Step 2. 

Attempt to construct a uni-chain macro-move, u, down x- 

that fits Yca and tliat: is such that Y SA M- I s followed by 

a point of synchronisation, t. 

If the attempt is successful go to Step 3; if not go to 

Step 4. 
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Step 3 : Perform the Sync Crosser Algorithm (SCA) with Y gA ^, X gA and t 
as values for y sca X gcA and t gcA , respectively. If SCA. 
terminates successfully, set Y gA and X gA respectively 



* * 



equal to y . and X ., the values returned, augment S 



T SCA SCA 
with S„ r . which is returned, and go to Step 5. 



SCA 



If SCA terminates with failure, go to Step 4. 
Step 4: Delete x ± from X gA> If X gA is now empty go to Step 6; 

if not, go to Step 1. 
Step 5 : Perform FA with ^ Y gA> X gA and S gA as respective values 

for u, Y, X pA and S. 

If FA terminate successfully, set Y gA equal to Y p > the 

value returned, terminate and report success. 

If FA terminates with failure, go to Step 4. 
Step 6: Terminate and report failure. 

Sync Crosser Algorithm 

This algorithm uses the Enumerative Algorithm (FA) to build up 
a set, S* of slices that are feasible and accessible from, Y gcA , one 

buA 

of its input parameters and determines if the pre-synchronisation sliver 

s t of, t„„., another input parameter is accessible from Y qrA ' Tiie 
pre SCA JVJ ^ 

parameter X is a set of chain-graphs as is X ^, but the former 
is an input parameter and the latter is returned upon successful 
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termination. A slice, Yq r A> anc * tne set S . of slices are also re- 
turned upon successful termination. 
Step 1: Construct the set of chain-graphs in the efflorescence of 

t . . Call it X' .. (At worst, X' . can be set equal to 

X . ) Go to Step 2. 
Step 2: Perform the Enumerative Algorithm with X' . and Ycpa as 

respective values for the input parameters. 

If EA terminate successfully, set S„ ., Ycpx anc * ^qrA» 

respectively equal to the values S , y and X . returned, 

terminate report success. 

If EA terminates with failure, terminate and report 

failure. 



Enumerative Algorithm 

This is a recursive algorithm similar to the Crutch Algorithm of 

Chapter 3, except that it asks for the performance of EA instead of the 

Basic Algorithm and that it needs to use FkA at forks and to treat 

points of synchronisation as barriers. It builds up the set S . of 

feasible slices accessible from y„. and terminates with success if 

'EA 

(s /s )Yt, a , the slice that is identical to v_. except that it 

pre y ea EA' 'EA * 

* 
uses the pre-synchronisation sliver, is in S . Upon successful ter- 

* * t 

mination S . is returned, as is Yt?a* which is (s /s^y,-,., and 

Hi A £iA pOS C HiA 

* * 

X„., the set of chain-graphs defined by Y v .. 
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CRUTCH ALGORITHM 

This algorithm is similar to its namesake in Chapter 3, except 
that it uses FkA when necessary and seeks performance of FA instead 
of the Basic Algorithm. 

FORK ALGORITHM 

It takes three input parameters, a slice y , a set of chains 

X„, and a fork f_. If the slice through the post-fork sliver (this is 

r r 

similar to the post-synchronisation sliver, conceptually) i.e., 

f 
(s /s )v_ is feasible, it terminates with success and returns this 
post Y p F 

slice as y and the chain-graphs it defines as X . No value is re- 

r F 

turned if FkA fails. 

§4. 11 Isolation of Efflorescences 

The SCA algorithm in the previous section assumed that the 
efflorescence of a point of synchronisation can be isolated. The task 
is far from easy as Figure 4.10 shows. In Figure 4.10, if the chain- 
graph of y were searched from top to bottom to determine if t lies 
on them, a fairly long and futile search down the chain-graphs marked 
X f and x' is possible before it is realized that t is not on it. 
Besides, unless the points of synchronisation are labelled too, there 
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Figure 4.10 
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is no way of distinguishing one from another. 

The isolation of an efflorescence becomes considerably easier 
if the demand graphs are constrained so that graphs such as that in 
Figure 4.11 are ruled out; for them the chain-graphs can be labelled 
conveniently. The constraint can be described precisely if the 
notion of generations is associated with chain-graphs. For this pur- 
pose it is useful to use chains again. A chain-graph of y-r starts 
out as a chain and sub-divides into more chains, with consolidation 
occurring at some points of synchronisation. Points of synchronisation 
will be referred to as joins. 

The first constraint requires that all points of synchronisation 
have exactly one outgoing arc. It will be recalled that forks have 
exactly one incoming arc. This makes it possible to introduce the 
concept of generation. 

The chains that are chain-graphs defined by y belong to the 
first generation. At a fork, such a chain gives rise to two or more 
chains of the second chain. Each chain of the second generation gives 
rise to chains belonging to the third generation at a fork, and so on. 
Similarly, chains give rise to a chain of one lower generation at a 
join. However, this leads to an ambiguity if chains of different 
generation meet at a join. The second constraint, therefore, re- 
quires that only chains belonging to the same generation can meet at 
a join. 

Chains of second or older generations that arise from a chain, 
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Figure 4.11 
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that is a chain-graph defined by y t > are called siblings. All chains 
of the first generation are also siblings. 

The third constraint requires all chains meeting at a join to 
be siblings in addition to belonging to the same generation. 

These three constraints are necessary for consistency of gen- 
eration numbering. 

Figure 4.12 shows arcs marked with the generations of the chains 
they belong to. The demand graph of Figure 4.12 satisfies all the con- 
straints. 

Figure 4.13 is a copy of Figure 4.11 but shows a one-digit 
position per generation labelling with increasing numbers from left 
to right on outgoing arcs of a fork. It is seen that the efflorescence 
of t consists of all chain-graphs that are labelled with a leading 1. 

The constraints described above have a meaningful interpretation 
in terms of processes in a computer system. They state that processes 
are created by a computation to carry out an internal computation and, 
therefore, no other computation knows about the processes. A similar 
argument is used for processes of the third generation, and so on. 
Since only processes of the same generation that are siblings "know 
each other", only they can interact. The constraint on points of 
synchronisation that they have only one outgoing arc is a relatively 
artificial constraint, though. However, it does simplify the task of 
isolating efflorescences. 
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Figure 4.13 
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.oops and Decisions 



Chapter 5 
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§5.1 Unrestricted and Augmented Demand Graphs 

A demand graph was defined in Chapter 2 to be a finite directed 
graph with demands on the arcs and a capacity associated with 
the graph. The analysis in Chapter 4 dealt with all but demand graphs 
with circuits or directed cycles. Sections 5.2 and 5.3 aim at an in- 
formal study of the effect of cycles in demand graphs on the analysis 
of deadlocks. The study is informal because the complexity of the 
graphs to be considered becomes unmanageable. Moreover, the analysis 
of Chapter 4 suggests that there can be much repetition of familiar 
techniques, so that an analysis of the differences alone may suffice. 
Section 5.4 deals with augmentation of demand graphs to include a 
mechanism for the representation of decisions and alternative alloca- 
tion possibilities in processes. There, too, an informal discussion 
of the effect of such augmentation on the analysis is presented. Be- 
cause the discussion is informal, there is an underlying assumption 
in all sections that the demand graphs that should be considered are 
those that represent meaningful behaviour by users of systems, rather 
than general members of the classes of graphs considered. 

§5.2 Unrestricted Demand Graphs 

Unrestricted demand graphs are the demand graphs defined in Sec- 
tion 2.2, and thus include cyclic graphs. However, rather than treat 
such graphs in general, the discussion in this section and the next 
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deals with rectilinear demand graphs in which arcs have been added for 
the purpose of creating cycles. Figure 5.1 shows an example of such a 
graph. 

The demand graph of Figure 5.1 exhibits overall loops , i.e. 
it is a rectilinear demand graph in which the corresponding terminal 
arcs and initial arcs of chains are joined. The graphs thus consist 
of chains and rings. Demand graphs with overall loops will be referred 
to as annular demand graphs . 

In terms of systems of processes, annular demand graphs represent 
repeatable or recurrent processes. The manufacturing industry provides 
several instances of recurring processes in the field of operations re- 
search. In interactive computer systems, a process that responds to 
editing commands or a process that handles console commands is an ex- 
ample of a recurrent process. 

It is clear that slices of annular demand graphs can be defined, 
exactly as in Chapter 2, as sets of arcs, one from each chain. However, 
the slices do not form a lattice as they did in Chapter 2, since y < y 
and y 2 < y ± do not necessarily imply that y x = Y 2 - Feasibility and safe- 
ness of a slice can be defined as before. However, as Figure 5.1 shows, 
if a slice such as y is safe, then a slice such as y 1 is safe too. 
For the (now merged) initial and terminal arcs have zero demand and the 
arcs on any chain have a demand that does not exceed the capacity of 
the graph. Thus annular demand graphs may be analyzed by cutting each 
ring at any arc that has zero demand and analyzing the rectilinear 
demand graphs that result by the techniques of Chapter 3. 
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Figure 5.2 shows another form of cyclic demand -graph, viz one 
with an internal loop. Although moves across transitions having more 
than one output arc have been interpreted so far as representing the 
initiation of parallel processes, it is clear that such an interpreta- 
tion would be meaningless for the demand graph of Figure 5.2 A useful 
interpretation would consider a transition, such as t.. in Figure 5.2, 
which has several outgoing arcs, one of which is part of a loop, as 
representing a point of choice. Consequently, a slice of such a demand 
graph should not be defined, as it has been in Chapter 4, in terms of 
slivers that are cut-sets of component sub-graphs of the demand graph. 
Rather than attempt to find an appropriate definition of a slice for 
analysis of deadlock, it may be worthwhile to determine if the loops 
can be meaningfully rectified; for then the definitions of slices, safe- 
ness, etc., used in Chapter 3 as well as the analysis in that chapter 
can be used. 

Now a loop in a demand graph such as that of Figure 5.2 rep- 
resents the fact that the phases represented by the arcs around which 
the loop is drawn (the three arcs a-^, a and a in Figure 5.2) may 
occur more than once and, in fact, an unpredictable number of times. 
Consequently, in rectification of such a graph, it must be ensured that 
a slice such as y in Figure 5.2 is considered safe only if it is safe 
no matter how many times the string of arcs oe a a is repeated in 
succession. The rectified graph used for safeness analysis must, 
therefore, use an adequate number of copies of the iterand, viz the 
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segment a-., »„, cy . The problem of determining what number of copies is 

adequate will be referred to as the adequate rectification problem. 
§5 .3 The Adequate Rectification Problem 

Consider the slice y in Figure 5.2. If using one copy of the 
iterand is adequate, then Figure 5.2 shows that y is safe. However, 
the result is fallacious, since it is clear that if the phases represented 
by the iterand do get repeated then deadlock would result in the system 
represented. Figures 5.3a and b show an example in which y is safe 
when two copies of the iterand are used but not when three copies are. 

Figure 5.4a shows a somewhat different example, in which the slice 
y is safe when one or two copies of the iterand are used (Figure 5.4b) 
and also when any larger number of copies is used. The difference 
seems to lie in the fact that in Figure 5.4b one can find a slice y' 
that is accessible from y and that has the property that a uni-chain 
macro-move across the entire iterand fits y' feasibly. Clearly a se- 
quence of any number of such macro-moves across copies of the iterand 
would fit y' too. 

In general, let y be the slice whose safeness is being examined. 
Let y t>e safe when 1, 2, 3, ... n copies of the iterand are used, and 
let n be the smallest number such that when n copies are used, a slice 
Y* is accessible from which a uni-chain macro-move across the entire 
n copy of the iterand fits y' feasibly. Then n is the number of 
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copies that represents "adequate rectification." It would seem quite 
likely that n varies from test slice to test slice. 

It would appear that in demand graphs with scalar demands one 
copy is adequate. This is because a reduction in demand cannot be 
selectively for one component only (as was the case with arc a in 
Figure 5.4a). 

The number of copies referred to above is the number of complete 
copies — the qualification is redundant except when the test slice it- 
self includes an arc from the iterand. 

§5.4 Manifold Demand Graphs 

A Manifold Demand Graph is an augmented form of demand graph in 
which some transitions with more than one output arc are marked with 
the logical Exclusive Or symbol. Such transitions represent points of 
choice in the processes. A process takes only one of the many paths at 
such a point during a run. As in Section 5.2, the aim of this section 
is to examine the effect of such an augmentation on the analysis of 
deadlock and, consequently, the demand graphs considered will consist 
of chains. 

A point of choice may arise in processes because the choice of 
activity to be undertaken next depends on a decision that is based on 
a predicate which cannot be evaluated until this point in the process. 
It may arise also from the presence of versatile resources in the 
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system. Such resources can serve as well as resources of another type 
and, therefore, may be used in place of the latter if these are un- 
available at the time. 

As discussed in Section 5.2, the problem of a suitable definition 
for slices arises. Once again, it is tempting to try and avoid the 
problem by replacing the multiple chains of arcs emanating from such 
transitions by a single representative chain. The analysis of recti- 
linear demand graphs in Chapter 3 would then be applicable. 

The choice of a representative chain depends on what is repre- 
sented. If the point of choice represents a stage where a process auto- 
nomously chooses one path, then the representative chain should represent 
the "worst" alternative. If, on the other hand, the point of choice rep- 
resents a stage in a process where one of several combinations of re- 
sources can meet its needs, so that the alternative paths represent the 
availability of choice to the resource allocator, then the "best" alter- 
native is the one that should be represented. Since deadlock avoidance 
is of interest, the terms "best" and "worst" presumably represent the 
choices that are respectively most and least likely to make slices safe. 

Unfortunately, which alternative is "best", say, depends on the 
slice being tested and, consequently, a local algorithm has to try all 
the alternatives one by one. This is illustrated in Figures 5.5 to 5.7. 
In Figure 5.5, slice y. is safe only if the left hand alternative is 
used, while Y 2 *- s sa f e only if the right hand alternative is used. 
Figure 5.6 shows that even with scalar demands, the choice of an 
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alternative is not easy. In that figure the chain that has the larger 
maximum of demands on arcs is not inferior; for o~ is safe only if the 
right hand alternative is used. Figure 5.7 shows that even if a chain 
has the smaller maximum of arc demands and the smaller minimum of arc 
demands, it can be "worse" than the other; for slice a is safe only 
if the right hand alternative is used. 

The selection of a "worst" alternative runs into similar problems. 

Thus it is necessary to redefine a slice so that it is a set of 
arcs, one from each chain, with alternative chains emanating from a 
transition that represents a point of choice considered to be a single 
chain. Safeness algorithms have then to try the alternative chains one 
at a time until either a chain that can be crossed is found or all the 
chains can be crossed — the choice depends on whether the alternatives 
represent a decision by the process represented or a choice by the re- 
source allocator. This, of course, increases the amount of backtracking 
and probably makes it non-linear. 
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§6.1 Demand Graph Analysis of Resource Sharing — in Perspective 

Deadlocks due to resource sharing are a result of limited re- 
sources and hoarding of allocated resources. In general, the avoidance 
of deadlock requires control of the acquisition of such resources by 
users, the entities that acquire and release resources. Total se- 
quencing of the users, so that they proceed one at a time until com- 
pletion, is always possible if no user ever needs more resources than 
are in the pool. Such control is gross and wasteful. Finer control 
requires information about resource usage by users. 

The demand graph model is a model for the representation of 
information about resource usage by users when their activity can be 
divided into phases of known and steady resource usage. What scale 
of activity a phase represents can vary with the circumstances. The 
ability to represent a set of phases as a single phase whose demand 
is the least upper bound of the demands of the original phases is the 
key to this facility. The assumption of Habermann [3], that only the 
maximum demands of a user are known, corresponds to combining all the 
phases (other than the initial and terminal arcs) of the subgraph that 
represents the activities of a user and representing them by a single 
phase, whose demand is the least upper bound of the demands of all 
slivers of the sub-graph. It thus represents one extreme. However, 
there is a whole range of scales of representation on one side of that 
extreme, and demand graph analysis serves to illustrate what can be 
done in that range. 



-158- 
§6.2 Non-linearity in Algorithms 

Between Scalar and Vector Demand Graphs there is a quantum jump 
in the amount of computation that a safeness algorithm has to do in the 
worst case. While it is to be expected that the amount of computation 
in the worst case increases as the number of components of demand in- 
creases, the increase would seem to depend more on the particular 
figures of demand encountered than on the number of components. For 
the Augmented Safeness Algorithm becomes non- linear only when it finds 
barriers before it finds arcs with total reduction in demand that sat- 
isfy the test of the Basic Algorithm; thus it is clear that the oc- 
currence or non-occurrence of such lows of demand is what determines 
the amount of computation. However, the likelihood of occurrence of 
such lows in all components of demand may decrease as the number of 
types of resources in the systems represented increases. 

It should be borne in mind that the non-linearity of the Aug- 
mented Safeness Algorithm is also a consequence of its local nature. 
The proof of non-linearity of the Augmented Safeness Algorithm as- 
sumed that even when barriers are discovered on all chains, the con- 
siderations for a slice to possess the prefix property must still be 
based on arbitrary extensions — not just those that also have barriers 
on all chains. This assumption was based on the particular defini- 
tion used for local algorithms. 
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The principal cause for the non-linearity of the Augmented Safe- 
ness Algorithm is the fact that there are situations in which exactly 
one combination of crutches is useful and this can only be discovered 
by trial and error by a local algorithm. 

The principal factor in the proof of non-linearity in arbo- 
raceous demand graphs even with scalar demands is the existence of 
situations in which a pre-synchronisation slice is accessible by 
exactly one sequence of chains on which to make moves. Here, too, if 
the demands on arcs incident on and emanating from points of syn- 
chronisation are small enough, then the amount of computation a safe- 
ness algorithm has to use does not become very large. 

§6.3 Demand Graph Analysis in Operations Research 

The problem of deadlocks is as serious in transportation, manu- 
facturing, maintenance, etc., as it is in computer systems. That it 
has not been recognized in operations research is unfortunate, since 
the fields to which operations research addresses itself are those 
that are commonly encountered. 

The assumptions for the demand graph model, viz that processes 
go through phases of known and steady resource usage, are particularly 
apt for manufacturing and other similar spheres to activity. The ex- 
ample of a maintenance hangar for aeroplanes in Chapter 1 is a case 
in point. 
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It should be pointed out that the assumption of an asynchronous 
nature for the processes in the analysis is not crucial, and its viola- 
tion does not invalidate the results as far as scheduling problems in 
operations research are concerned. For deadlocks are caused by 
hoarding and improper coordination of the acquisition of resources by 
activities, not by the unpredictability of the durations of various 
phases of activity. That these durations are not known in asynchronous 
systems, merely implies that the activities should be viewed as dis- 
crete phases with a sequencing structure, rather than as continuous 
on-going activity. 

The effect of knowledge of processing times or duration of 
phases is to make the various connected sequences of feasible slices 
from a safe slice to the terminal slice unequal — some sequences may 
be preferred over others, say because they result in a lower average 
running time for the processes. However, if a slice is not safe, then 
no schedule will allow all the processes to complete without deadlock. 
Thus considerations of deadlock prevention have the effect of elimi- 
nating certain schedules from the set of schedules that are considered 
for minimization of running time. All the work that has been done so 
far on selection of schedules that optimize running times can be ap- 
plied to this reduced set. 
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§6.4 Use of Demand Graphs In Computer Systems 

Deadlocks can occur in computer systems because processes com- 
monly hoard resources such as locked data bases, main memory in sys- 
tems with a single level memory, etc. Thus it would seem that demand 
graph analysis would be useful, and the next few sections touch upon 
some of the relevant issues. 

The discussion in Chapter 1 pointed out that the scale for 
description of a computation (the activity of a "user" or a set of 
"users") as a sequence of phases can be chosen to suit the circum- 
stances. Thus, it is possible to consider a phase as representing the 
execution of a single procedure or of a set of procedures, for instance. 
In other instances the phases may represent execution of parts of a pro- 
cedure. The scale can, therefore, be chosen to suit the circumstances. 

Although the discussion thus far has not touched on the effect 
of priorities, the use of priority schemes is not precluded. The 
analysis of Chapters 2 to 5 is invariant with choice of a priority 
scheme. It is perfectly reasonable to have any scheme, whatsoever, to 
select one or a few of several competing processes to receive resources, 
as long as allocating those resources corresponds to a move to a safe 
slice in the demand graph representation. In fact, one can even rep- 
resent facilities such as guaranteed service, by modifying the safeness 
algorithms. If a certain sequential process needs to be guaranteed 
of always being able to proceed with the next k phases (for some value 
of k) as soon as it finishes the current one, then the safeness algorithm 
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can be modified to assure such a process; for it can be made to ensure 
that every sequence of moves it constructs, during a test for safeness 
of any slice, begins with a uni-chain macro-move across k transitions 
on the chain representing that process. A page swapping process may 
perhaps be an instance of such a process. 

Interactive systems are somewhat different. In such systems a 
user needs to be guaranteed not just of being able to complete his 
computation, but of being able to complete it within a reasonable 
amount of time. This "reasonable wait" constraint is usually quite 
strong and may imply either that the ability to preempt resources is 
required, no matter what the cost, or that computations should not be 
accepted until the expected time to completion is less than a certain 
limit. In such instances the analysis of demand graphs is still quite 
useful although, at times, only to provide guidelines or a philosophy, 
rather than to be applied directly and in detail. 

System designers should not be distressed by the non-linearity 
of safeness algorithms for vector demand graphs. The large amounts of 
computation that non-linearity implies relate to worst cases and not 
necessarily to ordinary cases. Secondly, compromises are possible, 
since it is only required that the states that are permitted to occur 
are represented by safe slices not that all states that are represented 
by safe slices be permitted to occur. The cases in which the amount of 
computation begins to become rather large could be handled by refusal 
to consider the states represented by these slices for allocation. 
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Thus requests from processes for additional allocation may be denied 
because the slice representing the state that would result is unsafe, 
or because determination of its safeness takes too much computation. 
In this context the discussion in Section 6.1 on the scale of repre- 
sentation is quite relevant. In any case, the results in this thesis 
point out the sources of complexity and the degree of complexity that 
can be encountered. Non-optimal strategies may be more practical and 
better, as long as extremes are avoided. The non-linearity of the 
Augmented Safeness Algorithm could thus be only of academic interest. 
Moreover, good heuristics could probably be found for commonly oc- 
curring situations. 

Finally, there is a trend towards making resources preemptable 
on the one hand and effectively infinite on the other. The implementa- 
tion of virtual memory schemes on multi-level memories is indicative 
of this trend. The trend is immensely desirable. However, deadlocks 
owing to sharing of locked data bases will continue to arise in com- 
puter systems, making coordinated allocation of such resources to 
avoid deadlock imperative. 



t 
It should be pointed out that the Basic Algorithm in Chapter 3 only 

uses a sufficient condition (rather than a necessary and sufficient 

condition) as a test, anyway. 
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§6.5 Conclusions and Future Work 

The demand graph model for the analysis of deadlocks is not the 
last word on the subject. Chapter 5 showed that the techniques of 
analysis become unmanageably cumbersome for unrestricted and augmented 
demand graphs. This is largely a consequence of the complex structures 
that these graphs exhibit. However, good algorithms for testing the 
safeness of slices of such graphs need to be devised and may require 
considerable ingenuity. 

Moreover, there are several situations that demand graphs are 
incapable of representing. An output process for a group of recurring 
or cyclic processes that treats pieces of data from all processes 
symmetrically and operates with a finite buffer memory, which it shares 
with other output processes, is such an example. The full power of 
(unsafe) Petri nets [8] is required for the representation of such a 
system. For Petri net "conflicts" are required to represent the sym- 
metrical treatment of pieces of data from all processes and the init- 
iation of output as soon as possible after any such piece has arrived, 
without pre-ordained sequencing of the handling of outputs from the 
various processes served. This would suggest that Petri nets with 
numbers (demands) on places and constraints (capacity constraints) may 
be worth examining ab initio with a view to representing systems for 
analysis of deadlock. 
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In concluding, it should be pointed out that the work in this 
thesis represents an attempt to construct models for activities in 
systems so as to aid understanding and analysis of systems. Computer 
systems, in particular, need such models to aid in the understanding 
of fundamental problems. Such models are also required to provide 
tools for debugging of systems that are so complex that comprehension 
of the whole is almost impossible. The fact, that in using demand 
graphs to analyze consistency of use of locks on data bases one can 
construct the demand graph one process or one computation at a time, 
is of great value. For then mechanical tools (such as safeness algo- 
rithms) can handle the interactions of the parts in the complex whole. 
It is to be earnestly hoped that more debugging tools of this nature 
will be devised. 
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An examination of the lattice of slices of a demand graph such 
as that in Figure 2.4 shows an apparent redundancy of information. For 
instance, in the lattice of Figure 2.4 , all the arc labels have appeared 
in slice labels by rank 4. This suggests that a test of a kind differ- 
ent from that considered in the main body of this thesis may be possible. 
Such a test would utilize this observation, viz that the first few ranks 
of the lattice of slices contain a good deal of information. The test 
is, in general, a (K, p) feasibility test, i.e. a test which seeks p 
connected sequences of feasible slices from the test slice, y, to a 
slice K ranks above y in the lattice. 

The test that is of particular interest is a (K, 1) feasibility 
test, especially because it is comparable to the tests discussed earlier. 
It should be interesting to determine how large K has to be in relation 
to L , the rank of y relative to y. In determining such a lower 
bound on K, however, it is proposed to take a more mathematical approach 
in this appendix than has been taken so far. The intent of the analysis 
is to explore the effectiveness of such an approach rather than to obtain 
a tight bound for K. The investigation will therefore concern general 
questions such as what patterns of feasibility and infeasibility over the 
lattice of slices can be obtained, and so on. The mathematical tool that 
will be used is the theory of linear inequalities. 

The reason why it appears, intuitively, that some patterns of 
feasibility and infeasibility may not be attainable is because these two 
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types of constraints are opposite in nature and, therefore, could give 
rise to a contradiction. For example, suppose slices A„B C ? and 
A 3 B 3 C 3 ° f a t ^ iree " cnain demand graph were required to be feasible. Then 
could A 2 B 3 C 3 and ABC both be infeasible? Clearly not, for the fea- 
sibility requirements imply that 

d(A 2 ) + d(B 2 ) + d(C 2 ) < C 

d(A 3 ) + d(B ) + d(C ) <: C 



le 



d(A 2 ) + d(B 2 ) + d(C 2 ) + d(A 3 ) + d(B ) + d(C 3 ) ^ 2C 



[d(A 2 ) + d(B 3 ) + d(C 3 )] + [d(A 3 ) + d(B 2 ) + d(C 2 )] <: 2C 



which clearly contradicts the infeasibility constraints. 

In simple cases such as the example shown above, the incompati- 
bility of the (four) constraints may be quite obvious. When a large number 
of constraints is involved, however, the incompatibility of constraints 
may be much less obvious. For this reason, it is proposed to seek sim- 
pler tests based on the exhibition of a well defined structure by the 
constraints. The principal task, then, is to determine what structures 
have important implications in this regard. It will be assumed that the 
demand graphs are rectilinear and that in any example the number of chains 
and the number of arcs on each chain are known, as is the capacity asso- 
ciated with the graph, but that values of demand that satisfy a given set 
of constraints are sought. 
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The discussion to follow assumes scalar demands but it is con- 
jectured that the results are valid also for vector demand graphs. 

Each requirement of feasibility of a slice imposes a constraint 
of the form 



^ a ^ C for the j such slice 
1=1 V± 



where a^ is the concise notation for d(o- L ) and the superscript j 

i r i 

merely serves to identify the slice to which the inequality relates. 

Similarly, each requirement of infeasibility imposes a constraint of the 
form 



m 



I a r > C or ) (" a r } < ~ C 
1=1 i i=l i 

The question of the compatibility of the feasibility and infea- 
sibility requirements thus reduces to that of the consistency of a set 
of inequalities made up of inequalities of these two types. The theorem 
which follows relates to this question directly. It is taken from 
Cernikov [18]. 

"Theorem f3 .41 . Let 

fj(x) - a s j = 1, 2, 3, ... m 

be an arbitrary compatible system of inequalities over the linear space" 1 " 
L(P) where P is an arbitrary ordered field', then the system 

_ 
See [9]. 
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f.(x) - a. < j = 1, 2, ... m'; m' £ m 
J J 

f.(x) - a. £ j = m' + 1, ... m 
J J 

x € L(P) 
is compatible iff the equation 

£u.f.(x) = with the unknowns u, , u OJ ... u 
] ] 1 2 m 

has no positive solutions satisfying the condition 

a n u. + ... + a u = ; u. + u_ + . . . u , > 0" 
11 mm 12 m 

In the discussion which follows, the linear space L(P) is the 
linear space over the field of rational numbers since the components of 
demand are rational numbers. 

An intuitive understanding of the theorem can be obtained by re- 
writing the inequalities as 

f .(x) < a. j = 1, 2, . .. m'; m' 5 m 
J J 

f.(x) £ a. j = m' + 1, m' + 2, ... m 
J J 

Each f.(x) is of the form p x. + p„ x 2 + . . . P n x n , where n is the 
dimension of the linear space L(P). Since multiplying an inequality by 
a positive constant leaves the inequality unaltered, if positive mul- 
tipliers u. can be found which (after multiplication) make the sum of the 
left hand sides identically zero, then in a compatible system the 
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corresponding sum of the right hand sides must be greater than zero 
(unless no non-zero multiplier multiplies any inequality in the second 
group), or else one gets the absurd conclusion < 0! What is less ob- 
vious, and therefore interesting, is that this condition is also suf- 
ficient for compatibility. 

Now, a given pattern of feasibility and infeasibility implies 
that a set of inequalities be true simultaneously. This set is 



( \ j 

/_, a r s c j € [1, p'] for the p' feasible slices 

i=l i 



A 



m 

£ (-a^ ) < "C j € [ P « + 1, p] for the p-p 1 

1=1 i 

infeasible slices 



The theorem quoted above is applicable to this set of inequalities only 
if it is compatible when the inequality in the second group is changed to 

•<s". But this is clearly true, since a value of - for each a^ re- 

m r . 

l 

suits in satisfaction of all of the resulting inequalities. Therefore, 



the theorem is applicable to the set, A ,of inequalities given above. 

In order to apply the theorem to the inequalities in A_, a 

correspondence of terms must be set up. Consider one of the inequalities 

in V 
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a +a + ... + a £ C (The j merely identifies the slice 
r l r 2 r m 

from which the inequality comes and 

hence which a 's appear) 
i 

The variables here are the demands a . Let the total number of distinct 

r. 

l 

demand variables appearing in A_ be N. Then the above inequality is of 
the form 



[1, 0, 0, ... 1, 0, ... ] 



£ C 



where the column vector a is the vector of N demand variables, and the 

row vector, with m components having a value 1, serves to pick out 

those components of a which appear in the inequality above. Thus a 

corresponds to the x of the theorem. The row vector of l's and 0's 

is called a selection vector . 

Now the equation 

m 

Y u.f.(a) = 
j=l 

in the variables u. is really an identity in terms of a, since the 
equation has to be true for all values of a. 

The two lemmas which follow interpret the implications of the 
theorem stated above in terms of two patterns of feasibility and in- 
feasibility. The patterns are described in terms of a substructure of 
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the lattice of slices called a hull, a precise definition of which appears 
later. 

A sub- lattice is a subset of the elements of the lattice which is 
itself a lattice under the same definitions for computing least 
upper bounds and greatest lower bounds. It can be shown that a sub-set 
of a lattice that is closed under the operations of the lattice is a 
sub-lattice. Consequently, one can generate a sub-lattice from any sub- 
set of a finite lattice by adding the elements needed to make the set 
closed. 

The hull of a set, A, of slices is the set of all slices, ct, in the 
lattice that satisfy g.l.b.(A) ^ a < l.u.b.(A). Figure 1 shows the hull of a 
set of slices. The hull of a set of slices is a sub-lattice of the lattice 
of all slices since the hull is closed with respect to the operations 
of extracting the greatest lower bounds and least upper bounds of 
slices. It is clear that every slice in the hull of a set of slices, 
A, lies on a directed path from g.l.b.(A) to l.u.b.(A). 



LEMMA I Let D be a demand graph of m chains with n. arcs 

on the i chain. Let y, , v., ... Y be slices of D re- 

1 2 p 

quired to be infeasible and Y , -i > ••• Y be slices re- 
quired to be feasible. Then a set of demands for the arcs 
of the demand graph that ensure that all these conditions 

are met exists if none of the slices y ,, ... Y lies 

P+l q 
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-u — 



1 2 ' '. 
: 'i 'l ''l 



anc 



1 2 



( V. n c i r c 1 e d element: 
the hull) 



are not m 
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in the hull of y-i > • • • Y ( or symmetrically, if none of 

the slices v,, ... y lies in the hull of v , ,. ... y ). 
1 p p+1 q 



PROOF : The system of inequalities whose consistency is being 
examined consists of the two sets of inequalities: 

m 

£ - a J < - c j e [1, p] (1) 

i=l i 

corresponding to the infeasible slices, Yi > Yo» ••• Y , and 

m 

£ aJ < C j € [p + 1, q] (2) 

1-1 i 



corresponding to the feasible slices, v i, Y r,, . . . Y 

p+1' p+2 q 

Step 1: Suppose that positive multipliers ^, , ^ 2 > • • • ^ an ^ 

u. ,,,... u. for the two sets exist such that 
P+1 q 



m 

x i(I-v) +x 2 ( ) + -\ 
1=1 x 



m 
+ ^ 1. 1 ^ +1 ) + n. [ j =0 



i.e., 



m 



p+1 V^ r. / ^q 

i=l 1 



m 



\ (I v) + ... + v > s vi (I -r 1 ) + ••• + v ) - (3) 



i=l 1 1 1 
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Then, for consistency, the theorem requires that 

q 



(-C) • I X . + (C) . I ^ > 
j=l k=p+l 



be true unless \ . is for all values of i. 
J 

Consider the identity in (3). It will be noticed that as each term 
in parentheses relates to a slice, it contains exactly m variables, each 
with coefficient 1. Since one can multiple (3) through by the LCM of the 
denominators of the \'s and |j.'s to get integer multipliers, it may be as- 
sumed that the \'s and u's are integers so that one can speak of the num- 
ber of terms on one side of (3). The number of terms appearing on the 

P 
left hand side when (3) is expanded out is m £ ^ . whereas that on the 

q 1 J 

right hand side is m 2 |V • Since (3) is an identity, it is necessary, 

p+1 k 
inter alia, that these two numbers be equal. Thus 

P q 

1 p+1 

Therefore, 

■cLV + cS^'O 

The system of inequalities consisting of (1) and (2), therefore, is 
inconsistent if positive integer values for the A.'s and u's exist 
that satisfy (3). 
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The identity in (3) can be rewritten in terms of the selection 
vectors so as to eliminate the variables. It then becomes the set of N 
equations 



l-\ -x 2 .. 



= [ Vi V2 



■v 



selection vector for Yi 



selection vector for y 



^ 



selection vector for y_^7\ 



selection vector for v 



Now both sides of this identity can be multiplied by the N X 1 vector of 
a's which corresponds to a. One then gets an identity which is identical 
to (3) but with arc- labels rather than demands in it. Call the new 
identity (4) — it is an identity of algebraic expressions whose terms 

are the arc labels a 1 . 

r . 

i 

That values for the \*s and u's that satisfy (3) should not 
exist, implies (in terms of the identity (4)) that values for the \'s 
and u's that satisfy (4) should not exist. That is, for consistency no 
permutation of the collection of labels of slices in a selection (with rep- 
etition) from the set {y^ y 2 » ••• Y } should produce a collection of la- 
bels that is also a permutation of the collection of labels of slices in 
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a selection of the same size from >[y , -. , ... y ] (again with repetition 
allowed); selection of a slice more than once corresponds to a multiplier 
Y (or l.) which is greater than one. 

Step 2: Now consider a. selection H (in this proof, always with repe- 
tition allowed) from Yi , ■•• Y ;• Then any permutation of the collection of 
labels of these slices that yields slice-labels must satisfy the condi- 
tion that each component a~ of a new slice label satisfies: 

r- 

^ i 



g.l.b. of the arc numbers <; r. -s l.u.b. of the arc numbers 
r- of the Xj_ components " r r of the Xi components 

of slice labels in v ' of slice labels in T 



therefore , 

g.l.b. of the y. arc ■ 2 1 *'' l.u.b. of the x- arc compo- 
components of the slices i nents of the slices in the 
in the selection 2 selection 7" 



since the arcs on each chain are numbered in sequence downwards. Thus 



g.l.b. of the slices <■ the slice in question * ; ' l.u.b. of the 
from the selection (resulting from a slices from the 

permutation) selection 



i.e., the slice lies in the hull of (v, , ••■ Y ]■ 

1 p 

(For example one slice-label resulting from the permutation 
of ci-j^xr, and ot'^ct c/ ? is a^tfii , which clearly satisfies 



a oi^a - ,:^a a -- a 01 „&, , and 7,3 -o^ does lie m the hull 



c 123 123 , 123, 

Ot 3c O. 'rfiry, On, 0! a and a Q' 01 , . ) 



3 2 2' 231 12" 



■4- 
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Thus , if none of the slices y , .. , ... v lies in the hull of 

p+1 q 

Y-i 5 ••■ Y , then the collection of labels in any selection from 

vi' ••• V 

a selection from •; y , ... \^ ]. Thus no inconsistency can result and, 
therefore, demands for the arcs exist so that both the feasibility and 
infeasibility requirements are satisfied. 

.C.I). 



th 
LEMMA £. Consider a demand graph with m chains, the i"' 

chain having n. arcs. Let { \\ , . . . y } be a set of 

i 1 ' p ' 

slices of the demand graph which lie in one rank, R, and 

let y ••• Y, be required to be infeasible. Further- 

more, let y ... y completely partition their hull, 

i.e. there does not exist a slice at rank R that is in the 

hull of [y v ... y } but is not in (y-,, ••• Y 1- 
i p 1 p " 

Then if values of demand can be found so as to make the 
slices Y-j > Yo , ••• Y infeasible and all the slices be- 
low rank R in the hull of [yi, Y 2 > ••■ Y J feasible, then 
no slice that lies above rank R in this hull can be feasible 



PROOF : Let y be a slice in the hull at a rank greater than 
R that is required to be feasible. Let ( y . , y . , . . . y . } be a mini- 

J 1 Jq J A 

J- <- Xj 

mal subset of {y ... y ) such that y is the l.u.b. of 

Y, , ••• Y- • That is, tY. , ••• Y- ) is the smallest set of slices 

J i h ! i 3 i 
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at rank R whose l.u.b. is y. Such a set has to exist since the set of 

all slices at rank R that lie on a directed path from g.l.b. 

£y-i> . . . y 3 to Y certainly have y as a l.u.b., and all such slices 

belong to the hull. 

Now it will be shown that slices y , ... y all lying above 

S l Vl' 

rank R, exist such that the labels of v. v , v » ■•• Y 

, s 1 's 9 S 0i are P ermu ~ 



tations of the labels of y« » Y- > ••• Y- • 

J l J 2 2 i 
In the discussion that follows the labels of slices y, y' ... 

will be designated by 7, 7' ... . This should cause no confusion as the 

context should resolve any ambiguity. The labels y , ... y are ob- 

S l S l 
tained as follows : Take out the elements that make up y from 

Y. , Y- » ••• Y- • Then take any of the I "stripped" labels remaining 

J l J 2 J 4 
and distribute its components among the other &-1 stripped labels, giving 

each a component that is from the same chain as the one it contributed to 

Y. The resulting labels are y > Y » ••• Y 

S l S 2 Vl 
(The construction is illustrated for A_ B.. C„, A_ B„ C. A, B„ C„ 

below: 



V V V A 3 B 1 C 2 A 2 B 3 C 1 A 1 B 2 C 3 

Y: A3 B 3 C 3 



Stripped labels : B. C„ A„ C, A, B„ 



L 



Result of distribution: A ? B- C. A 1 B_ C„ 

Clearly, (A g + S >1 + C 2 ) + (A 2 + B 3 + C^) + ^ + B 2 + C 3 ) 

= (A 3 + B 3 + C 3 ) + (A 2 + % l + Cp + (A 1 + B 2 + C 2 ).) 
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In general, it is obvious that Y> Y > ••• Y is a permutation 

S l Vl 

of y . , y Y- • 

J l J 2 h 

It remains to be shown that y , y , . . . y all lie above 

s l s 2 S 4-l 
rank R and are therefore feasible — this, together with the feasibility 



of y an °l the infeasibility of y- > Y- > ••• Y- leads to an incon- 

J l 2 2 h 

sistency. 

It is obvious from the construction that 

Each component of a com- £ The corresponding com- 
pleted stripped label ponent of y 

For each label, y » some one component the relation is really "< " — 
s 

this is the component received in the distribution, i.e. the one component the 
unstripped label alone can contribute to y- 

(E.g., B 1 (in A 2 B x C^) <; B 3 (in A 3 B 3 Cg) above) 

Thus each of the resulting slices y > Y » ••• Y nas an index sum 

S l s 2 s i-l 
less than R. 

Q.E.D. 



LEMMA 3^. If a slice y of a demand graph is feasible but 
none of its immediate successors is, then no slice other than 
Y in the hull of its successors can be feasible. 
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TIIEOREM Let D be an m- chain demand graph and let L be 
the rank in the lattice of slices of its terminal slice, y . 
Let there exist a connected sequence of feasible slices from 
a slice y of D to a slice, y' , at rank L-m and let y' 
have m successors. Then the sequence can be extended to y . 

Lemma 3 follows from the fact that y is the only slice in the 
hull of its successors that lies above the successors. The theorem fol- 
lows from Corollary 1; for the hull of the m successors extends m-1 ranks 
below themselves, and thus encompasses y — therefore at least one of 
the successors must be feasible (from Lemma 3) and one can apply the re- 
sult to the successors of that slice, and so on. 

The theorem above is a result , regarding a (K, 1) safeness test, of 
the kind that was sought at the beginning of the appendix. Undoubtedly, 
many more results of this kind could be proved. The aim of the appendix, 
however, is merely to indicate the nature of results that can be obtained 
by utilization of the theory of linear inequalities. 
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